summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-04-26 10:41:21 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-04-26 14:55:26 +0200
commit2ef1662e4bc20f1641bc678141c2df0e42e21e3f (patch)
treeeff45ec6beed9f065596ea680dfcf88981ed2e7c /lib
parent3b41839e2e4e27707b3f52918b65cec7d8d70fd2 (diff)
downloadcurl-2ef1662e4bc20f1641bc678141c2df0e42e21e3f.tar.gz
http2: get rid of another strstr()
Follow-up to 1514c44655e12e: replace another strstr() call done on a buffer that might not be zero terminated - with a memchr() call, even if we know the substring will be found. Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 Closes #2534
Diffstat (limited to 'lib')
-rw-r--r--lib/http2.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c
index 7dea16125..25d74c1a1 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1923,8 +1923,10 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
hdbuf = line_end + 2;
- line_end = strstr(hdbuf, "\r\n");
- if(line_end == hdbuf)
+ /* check for next CR, but only within the piece of data left in the given
+ buffer */
+ line_end = memchr(hdbuf, '\r', len - (hdbuf - (char *)mem));
+ if(!line_end || (line_end == hdbuf))
goto fail;
/* header continuation lines are not supported */