diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-04-20 16:32:46 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-20 16:32:46 +0200 |
| commit | d0aa97e9054f37d7f63ca12863a35fde91896824 (patch) | |
| tree | a9e6b6c929044868341112a51b0a3e7ebf7c58d3 | |
| parent | a3f385393ae63c99ab6e508d3b720a1da04c2f67 (diff) | |
| download | curl-bagder/http2-avoid-strstr-on-data.tar.gz | |
http2: avoid strstr() on data not zero terminatedbagder/http2-avoid-strstr-on-data
It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.
Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
| -rw-r--r-- | lib/http2.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c index e60ae247b..077c03e6f 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1851,8 +1851,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, return -1; } - /* Extract :method, :path from request line */ - line_end = strstr(hdbuf, "\r\n"); + /* Extract :method, :path from request line + We do line endings with CRLF so checking for CR is enough */ + line_end = memchr(hdbuf, '\r', len); + if(!line_end) + goto fail; /* Method does not contain spaces */ end = memchr(hdbuf, ' ', line_end - hdbuf); |