From: Matthew DeVore <matvore@comcast.net>
To: "René Scharfe" <l.s.r@web.de>
Cc: Matthew DeVore <matvore@google.com>,
git@vger.kernel.org, jeffhost@microsoft.com, gitster@pobox.com,
spearce@spearce.org, jrn@google.com, Jeff King <peff@peff.net>
Subject: Re: [PATCH 1/2] url: do not read past end of buffer
Date: Tue, 4 Jun 2019 10:22:38 -0700 [thread overview]
Message-ID: <20190604172238.GJ4641@comcast.net> (raw)
In-Reply-To: <18ab56e2-3b25-8cfd-438d-72f49145adc4@web.de>
On Tue, Jun 04, 2019 at 07:00:34AM +0200, René Scharfe wrote:
> Am 03.06.19 um 22:45 schrieb Matthew DeVore:
> > url_decode_internal could have been tricked into reading past the length
> > of the **query buffer if there are fewer than 2 characters after a % (in
> > a null-terminated string, % would have to be the last character).
> > Prevent this from happening by checking len before decoding the %
> > sequence.
> >
> > Signed-off-by: Matthew DeVore <matvore@google.com>
> > ---
> > url.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/url.c b/url.c
> > index 25576c390b..c0bb4e23c3 100644
> > --- a/url.c
> > +++ b/url.c
> > @@ -39,21 +39,21 @@ static char *url_decode_internal(const char **query, int len,
> > unsigned char c = *q;
> >
> > if (!c)
> > break;
> > if (stop_at && strchr(stop_at, c)) {
> > q++;
> > len--;
> > break;
> > }
> >
> > - if (c == '%') {
> > + if (c == '%' && len >= 3) {
>
> Tricky. hex2chr() makes sure to not run over the end of NUL-terminated
> strings, but url_decode_internal() is supposed to honor the parameter
> len as well. Your change disables %-decoding for the two callers that
> pass -1 as len, though. So perhaps like this?
>
> if (c == '%' && (len < 0 || len >= 3)) {
I've applied this and will include it in the next roll-up. Thank you for
catching it. (I'm disappointed that I missed it and that there were no tests to
catch the mistake.)
next prev parent reply other threads:[~2019-06-04 17:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 20:45 [PATCH 0/2] Harden url.c URL-decoding logic Matthew DeVore
2019-06-03 20:45 ` [PATCH 1/2] url: do not read past end of buffer Matthew DeVore
2019-06-04 5:00 ` René Scharfe
2019-06-04 17:22 ` Matthew DeVore [this message]
2019-06-03 20:45 ` [PATCH 2/2] url: do not allow %00 to represent NULL in URLs Matthew DeVore
2019-06-04 1:02 ` brian m. carlson
2019-06-04 17:38 ` Matthew DeVore
2019-06-04 5:01 ` René Scharfe
2019-06-04 17:23 ` Matthew DeVore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190604172238.GJ4641@comcast.net \
--to=matvore@comcast.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jeffhost@microsoft.com \
--cc=jrn@google.com \
--cc=l.s.r@web.de \
--cc=matvore@google.com \
--cc=peff@peff.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.