From 47066036a084a9ba0caf46db24072a429c44fabb Mon Sep 17 00:00:00 2001 From: Paul Dreik Date: Fri, 20 Sep 2019 13:25:20 +0200 Subject: urlapi: avoid index underflow for short ipv6 hostnames If the input hostname is "[", hlen will underflow to max of size_t when it is subtracted with 2. hostname[hlen] will then cause a warning by ubsanitizer: runtime error: addition of unsigned offset to 0x overflowed to 0x I think that in practice, the generated code will work, and the output of hostname[hlen] will be the first character "[". This can be demonstrated by the following program (tested in both clang and gcc, with -O3) int main() { char* hostname=strdup("["); size_t hlen = strlen(hostname); hlen-=2; hostname++; printf("character is %d\n",+hostname[hlen]); free(hostname-1); } I found this through fuzzing, and even if it seems harmless, the proper thing is to return early with an error. Closes #4389 --- lib/urlapi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/urlapi.c b/lib/urlapi.c index 903fe1804..1334236b2 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -598,6 +598,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) if(hostname[0] == '[') { char dest[16]; /* fits a binary IPv6 address */ const char *l = "0123456789abcdefABCDEF:."; + if(hlen < 5) /* '[::1]' is the shortest possible valid string */ + return CURLUE_MALFORMED_INPUT; hostname++; hlen -= 2; -- cgit v1.2.1