diff options
| author | Paul Dreik <github@pauldreik.se> | 2019-09-20 13:25:20 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-21 15:57:17 +0200 |
| commit | 47066036a084a9ba0caf46db24072a429c44fabb (patch) | |
| tree | 3b27e4422c4b17ab6ba1424c77045fef9b07bcdf /lib/urlapi.c | |
| parent | 63a8d2b172072e69c6dc94a3859a759ba0b2d397 (diff) | |
| download | curl-47066036a084a9ba0caf46db24072a429c44fabb.tar.gz | |
urlapi: avoid index underflow for short ipv6 hostnames
If the input hostname is "[", hlen will underflow to max of size_t when
it is subtracted with 2.
hostname[hlen] will then cause a warning by ubsanitizer:
runtime error: addition of unsigned offset to 0x<snip> overflowed to
0x<snip>
I think that in practice, the generated code will work, and the output
of hostname[hlen] will be the first character "[".
This can be demonstrated by the following program (tested in both clang
and gcc, with -O3)
int main() {
char* hostname=strdup("[");
size_t hlen = strlen(hostname);
hlen-=2;
hostname++;
printf("character is %d\n",+hostname[hlen]);
free(hostname-1);
}
I found this through fuzzing, and even if it seems harmless, the proper
thing is to return early with an error.
Closes #4389
Diffstat (limited to 'lib/urlapi.c')
| -rw-r--r-- | lib/urlapi.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c index 903fe1804..1334236b2 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -598,6 +598,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) if(hostname[0] == '[') { char dest[16]; /* fits a binary IPv6 address */ const char *l = "0123456789abcdefABCDEF:."; + if(hlen < 5) /* '[::1]' is the shortest possible valid string */ + return CURLUE_MALFORMED_INPUT; hostname++; hlen -= 2; |