git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: "René Scharfe" <l.s.r@web.de>
To: Matthew DeVore <matvore@google.com>, git@vger.kernel.org
Cc: jeffhost@microsoft.com, gitster@pobox.com, spearce@spearce.org,
	jrn@google.com, Jeff King <peff@peff.net>
Subject: Re: [PATCH 1/2] url: do not read past end of buffer
Date: Tue, 4 Jun 2019 07:00:34 +0200	[thread overview]
Message-ID: <18ab56e2-3b25-8cfd-438d-72f49145adc4@web.de> (raw)
In-Reply-To: <20190603204526.7723-2-matvore@google.com>

Am 03.06.19 um 22:45 schrieb Matthew DeVore:
> url_decode_internal could have been tricked into reading past the length
> of the **query buffer if there are fewer than 2 characters after a % (in
> a null-terminated string, % would have to be the last character).
> Prevent this from happening by checking len before decoding the %
> sequence.
>
> Signed-off-by: Matthew DeVore <matvore@google.com>
> ---
>  url.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/url.c b/url.c
> index 25576c390b..c0bb4e23c3 100644
> --- a/url.c
> +++ b/url.c
> @@ -39,21 +39,21 @@ static char *url_decode_internal(const char **query, int len,
>  		unsigned char c = *q;
>
>  		if (!c)
>  			break;
>  		if (stop_at && strchr(stop_at, c)) {
>  			q++;
>  			len--;
>  			break;
>  		}
>
> -		if (c == '%') {
> +		if (c == '%' && len >= 3) {

Tricky.  hex2chr() makes sure to not run over the end of NUL-terminated
strings, but url_decode_internal() is supposed to honor the parameter
len as well.  Your change disables %-decoding for the two callers that
pass -1 as len, though.  So perhaps like this?

		if (c == '%' && (len < 0 || len >= 3)) {

In any case: Good find!

>  			int val = hex2chr(q + 1);
>  			if (0 <= val) {
>  				strbuf_addch(out, val);
>  				q += 3;
>  				len -= 3;
>  				continue;
>  			}
>  		}
>
>  		if (decode_plus && c == '+')
>


  reply	other threads:[~2019-06-04  5:01 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-03 20:45 [PATCH 0/2] Harden url.c URL-decoding logic Matthew DeVore
2019-06-03 20:45 ` [PATCH 1/2] url: do not read past end of buffer Matthew DeVore
2019-06-04  5:00   ` René Scharfe [this message]
2019-06-04 17:22     ` Matthew DeVore
2019-06-03 20:45 ` [PATCH 2/2] url: do not allow %00 to represent NULL in URLs Matthew DeVore
2019-06-04  1:02   ` brian m. carlson
2019-06-04 17:38     ` Matthew DeVore
2019-06-04  5:01   ` René Scharfe
2019-06-04 17:23     ` Matthew DeVore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=18ab56e2-3b25-8cfd-438d-72f49145adc4@web.de \
    --to=l.s.r@web.de \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=jeffhost@microsoft.com \
    --cc=jrn@google.com \
    --cc=matvore@google.com \
    --cc=peff@peff.net \
    --cc=spearce@spearce.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).