From 643fac1e01102524e44ead188e865830ebdfb1f4 Mon Sep 17 00:00:00 2001
From: Pyfisch <pyfisch@gmail.com>
Date: Sun, 5 Mar 2017 12:40:06 +0100
Subject: [PATCH] fix(headers): add length checks to ETag parsing

Bug found using `cargo fuzz`.
---
 src/header/common/etag.rs   | 3 +++
 src/header/shared/entity.rs | 8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/header/common/etag.rs b/src/header/common/etag.rs
index 068c8599fd..685c5d6342 100644
--- a/src/header/common/etag.rs
+++ b/src/header/common/etag.rs
@@ -83,6 +83,9 @@ header! {
         test_header!(test14,
             vec![b"matched-\"dquotes\""],
             None::<ETag>);
+        test_header!(test15,
+            vec![b"\""],
+            None::<ETag>);
     }
 }
 
diff --git a/src/header/shared/entity.rs b/src/header/shared/entity.rs
index 3c2d9e6c93..063ecb6d9a 100644
--- a/src/header/shared/entity.rs
+++ b/src/header/shared/entity.rs
@@ -123,15 +123,17 @@ impl FromStr for EntityTag {
         let length: usize = s.len();
         let slice = &s[..];
         // Early exits if it doesn't terminate in a DQUOTE.
-        if !slice.ends_with('"') {
+        if !slice.ends_with('"') || slice.len() < 2 {
             return Err(::Error::Header);
         }
         // The etag is weak if its first char is not a DQUOTE.
-        if slice.starts_with('"') && check_slice_validity(&slice[1..length-1]) {
+        if slice.len() >= 2 && slice.starts_with('"')
+                && check_slice_validity(&slice[1..length-1]) {
             // No need to check if the last char is a DQUOTE,
             // we already did that above.
             return Ok(EntityTag { weak: false, tag: slice[1..length-1].to_owned() });
-        } else if slice.starts_with("W/\"") && check_slice_validity(&slice[3..length-1]) {
+        } else if slice.len() >= 4 && slice.starts_with("W/\"")
+                && check_slice_validity(&slice[3..length-1]) {
             return Ok(EntityTag { weak: true, tag: slice[3..length-1].to_owned() });
         }
         Err(::Error::Header)