Stricter header validation

[netstring.git] / r.go

diff --git a/r.go b/r.go
index 0c65fd41d01d5039c2b9a3e36bbf9cb6e6b3f892..9b8f51069e541d86986497e383dec57349f563b8 100644 (file)
--- a/r.go
+++ b/r.go
@@ -48,7 +48,11 @@ func (r *Reader) Next() (uint64, error) {
        if err != nil {
                return 0, fmt.Errorf("netstring header: %w", err)
        }
-       size, err := strconv.ParseUint(string(lenRaw[:len(lenRaw)-1]), 10, 64)
+       lenRaw = lenRaw[:len(lenRaw)-1]
+       if len(lenRaw) > 1 && lenRaw[0] == '0' {
+               return 0, errors.New("netstring header: leading zero")
+       }
+       size, err := strconv.ParseUint(string(lenRaw), 10, 64)
        if err != nil {
                return 0, fmt.Errorf("netstring header: %w", err)
        }