diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-04-26 10:41:21 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-26 10:41:21 +0200 |
| commit | db01b4edfd45dd702d975a51f3dd6237d83ceccc (patch) | |
| tree | eff45ec6beed9f065596ea680dfcf88981ed2e7c | |
| parent | 3b41839e2e4e27707b3f52918b65cec7d8d70fd2 (diff) | |
| download | curl-bagder/http2-another-strstr.tar.gz | |
http2: get rid of another strstr()bagder/http2-another-strstr
Follow-up to 1514c44655e12e: replace another strstr() call done on a
buffer that might not be zero terminated - with a memchr() call, even if
we know the substring will be found.
Assisted-by: Max Dymond
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021
| -rw-r--r-- | lib/http2.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c index 7dea16125..25d74c1a1 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1923,8 +1923,10 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, hdbuf = line_end + 2; - line_end = strstr(hdbuf, "\r\n"); - if(line_end == hdbuf) + /* check for next CR, but only within the piece of data left in the given + buffer */ + line_end = memchr(hdbuf, '\r', len - (hdbuf - (char *)mem)); + if(!line_end || (line_end == hdbuf)) goto fail; /* header continuation lines are not supported */ |