diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-04-20 16:32:46 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-20 22:16:50 +0200 |
| commit | 1514c44655e12e93e453bbc9e1934cf6d30d3817 (patch) | |
| tree | 36493070de0d72c3ee865ed6450cf60390b9fb9f | |
| parent | b0a50227c07654e47598c90fe55cee1c890cc4a4 (diff) | |
| download | curl-1514c44655e12e93e453bbc9e1934cf6d30d3817.tar.gz | |
http2: avoid strstr() on data not zero terminated
It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.
Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.
Detected by OSS-Fuzz
Closes #2513
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
| -rw-r--r-- | lib/http2.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c index e60ae247b..077c03e6f 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1851,8 +1851,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, return -1; } - /* Extract :method, :path from request line */ - line_end = strstr(hdbuf, "\r\n"); + /* Extract :method, :path from request line + We do line endings with CRLF so checking for CR is enough */ + line_end = memchr(hdbuf, '\r', len); + if(!line_end) + goto fail; /* Method does not contain spaces */ end = memchr(hdbuf, ' ', line_end - hdbuf); |