Stricter header validation

diff --git a/ns_test.go b/ns_test.go
index dbdaa8d4c81505eca1059b8a04a5d16582fa9519..6ac07e42f662ce075532867fd06854c98d81c7bf 100644 (file)
--- a/ns_test.go
+++ b/ns_test.go
@@ -131,6 +131,18 @@ func TestErrors(t *testing.T) {
        if _, err := r.Read(data); err == nil {
                t.FailNow()
        }
+
+       b = bytes.NewBufferString(":foobar,")
+       r = NewReader(b)
+       if _, err := r.Next(); err == nil {
+               t.FailNow()
+       }
+
+       b = bytes.NewBufferString("06:foobar,")
+       r = NewReader(b)
+       if _, err := r.Next(); err == nil {
+               t.FailNow()
+       }
 }
 
 func TestExample(t *testing.T) {

diff --git a/r.go b/r.go
index 0c65fd41d01d5039c2b9a3e36bbf9cb6e6b3f892..9b8f51069e541d86986497e383dec57349f563b8 100644 (file)
--- a/r.go
+++ b/r.go
@@ -48,7 +48,11 @@ func (r *Reader) Next() (uint64, error) {
        if err != nil {
                return 0, fmt.Errorf("netstring header: %w", err)
        }
-       size, err := strconv.ParseUint(string(lenRaw[:len(lenRaw)-1]), 10, 64)
+       lenRaw = lenRaw[:len(lenRaw)-1]
+       if len(lenRaw) > 1 && lenRaw[0] == '0' {
+               return 0, errors.New("netstring header: leading zero")
+       }
+       size, err := strconv.ParseUint(string(lenRaw), 10, 64)
        if err != nil {
                return 0, fmt.Errorf("netstring header: %w", err)
        }