[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 62/222: urlapi: avoid index underflow for short ipv6 hostnames
|
From: |
gnunet |
|
Subject: |
[gnurl] 62/222: urlapi: avoid index underflow for short ipv6 hostnames |
|
Date: |
Thu, 07 Nov 2019 00:09:18 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 47066036a084a9ba0caf46db24072a429c44fabb
Author: Paul Dreik <address@hidden>
AuthorDate: Fri Sep 20 13:25:20 2019 +0200
urlapi: avoid index underflow for short ipv6 hostnames
If the input hostname is "[", hlen will underflow to max of size_t when
it is subtracted with 2.
hostname[hlen] will then cause a warning by ubsanitizer:
runtime error: addition of unsigned offset to 0x<snip> overflowed to
0x<snip>
I think that in practice, the generated code will work, and the output
of hostname[hlen] will be the first character "[".
This can be demonstrated by the following program (tested in both clang
and gcc, with -O3)
int main() {
char* hostname=strdup("[");
size_t hlen = strlen(hostname);
hlen-=2;
hostname++;
printf("character is %d\n",+hostname[hlen]);
free(hostname-1);
}
I found this through fuzzing, and even if it seems harmless, the proper
thing is to return early with an error.
Closes #4389
---
lib/urlapi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/urlapi.c b/lib/urlapi.c
index 903fe1804..1334236b2 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -598,6 +598,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char
*hostname)
if(hostname[0] == '[') {
char dest[16]; /* fits a binary IPv6 address */
const char *l = "0123456789abcdefABCDEF:.";
+ if(hlen < 5) /* '[::1]' is the shortest possible valid string */
+ return CURLUE_MALFORMED_INPUT;
hostname++;
hlen -= 2;
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 68/222: altsvc: both backends run h3-23 now, (continued)
- [gnurl] 68/222: altsvc: both backends run h3-23 now, gnunet, 2019/11/06
- [gnurl] 48/222: imap: merged two case-branches performing the same action, gnunet, 2019/11/06
- [gnurl] 50/222: mime: make Curl_mime_duppart() assert if called without valid dst, gnunet, 2019/11/06
- [gnurl] 57/222: tool_operate: Expression 'config->resume_from' is always true, gnunet, 2019/11/06
- [gnurl] 67/222: http: fix warning on conversion from int to bit, gnunet, 2019/11/06
- [gnurl] 81/222: libssh: The expression is excessive or contains a misprint, gnunet, 2019/11/06
- [gnurl] 51/222: setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly, gnunet, 2019/11/06
- [gnurl] 52/222: urlapi: part of conditional expression is always true: (relurl[0] == '/'), gnunet, 2019/11/06
- [gnurl] 56/222: tool_getparam: remove duplicate switch case, gnunet, 2019/11/06
- [gnurl] 65/222: appveyor: upgrade VS2017 to VS2019, gnunet, 2019/11/06
- [gnurl] 62/222: urlapi: avoid index underflow for short ipv6 hostnames,
gnunet <=
- [gnurl] 63/222: cookie: pass in the correct cookie amount to qsort(), gnunet, 2019/11/06
- [gnurl] 66/222: urldata: use 'bool' for the bit type on MSVC compilers, gnunet, 2019/11/06
- [gnurl] 73/222: RELEASE-NOTES: synced, gnunet, 2019/11/06
- [gnurl] 72/222: openssl: fix compiler warning with LibreSSL, gnunet, 2019/11/06
- [gnurl] 79/222: vauth: The parameter 'status' must be surrounded by parentheses, gnunet, 2019/11/06
- [gnurl] 78/222: doh: allow only http and https in debug mode, gnunet, 2019/11/06
- [gnurl] 71/222: curl: exit the create_transfers loop on errors, gnunet, 2019/11/06
- [gnurl] 80/222: quiche: The expression must be surrounded by parentheses, gnunet, 2019/11/06
- [gnurl] 69/222: travis: enable ngtcp2 h3-23 builds, gnunet, 2019/11/06
- [gnurl] 86/222: strcase: fix raw lowercasing the letter X, gnunet, 2019/11/06