From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 23 Jan 2023 07:50:20 +0000 (+0300)
Subject: Stricter header validation
X-Git-Tag: v2.4.0^0
X-Git-Url: http://www.git.cypherpunks.ru/?p=netstring.git;a=commitdiff_plain;h=8077b5bcd6f6d5d0b7b66a902ca28ce2bab66086

Stricter header validation
---

diff --git a/ns_test.go b/ns_test.go
index dbdaa8d..6ac07e4 100644
--- a/ns_test.go
+++ b/ns_test.go
@@ -131,6 +131,18 @@ func TestErrors(t *testing.T) {
 	if _, err := r.Read(data); err == nil {
 		t.FailNow()
 	}
+
+	b = bytes.NewBufferString(":foobar,")
+	r = NewReader(b)
+	if _, err := r.Next(); err == nil {
+		t.FailNow()
+	}
+
+	b = bytes.NewBufferString("06:foobar,")
+	r = NewReader(b)
+	if _, err := r.Next(); err == nil {
+		t.FailNow()
+	}
 }
 
 func TestExample(t *testing.T) {
diff --git a/r.go b/r.go
index 0c65fd4..9b8f510 100644
--- a/r.go
+++ b/r.go
@@ -48,7 +48,11 @@ func (r *Reader) Next() (uint64, error) {
 	if err != nil {
 		return 0, fmt.Errorf("netstring header: %w", err)
 	}
-	size, err := strconv.ParseUint(string(lenRaw[:len(lenRaw)-1]), 10, 64)
+	lenRaw = lenRaw[:len(lenRaw)-1]
+	if len(lenRaw) > 1 && lenRaw[0] == '0' {
+		return 0, errors.New("netstring header: leading zero")
+	}
+	size, err := strconv.ParseUint(string(lenRaw), 10, 64)
 	if err != nil {
 		return 0, fmt.Errorf("netstring header: %w", err)
 	}