Skip to content
This repository has been archived by the owner on Nov 6, 2022. It is now read-only.

Fix invalid memory access. #246

Closed
wants to merge 5 commits into from
Closed

Fix invalid memory access. #246

wants to merge 5 commits into from

Conversation

OnixGH
Copy link

@OnixGH OnixGH commented May 18, 2015

http_parse_host() depends on u->field_data[UF_HOST], but this if()
allowed the method to be called if only u->field_data[UF_SCHEMA] was
set, resulting in use of unintialized pointers.

Fix invalid memory access.
104bab7 
http_parse_host() depends on u->field_data[UF_HOST], but this if()
allowed the method to be called if only u->field_data[UF_SCHEMA] was
set, resulting in use of unintialized pointers.
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

This patch fixed a recurring crash in Phusion Passenger (issue report).

Fixup: the patch stopped host parsing in the CONNECT flow.
62cd859 
This update restores that functionality while maintaining the memory
access fix (only call http_parse_host if UF_HOST is set).
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

The thread for 225 is related. However, it seems more logical to protect http_parse_host() from being called if the UF_HOST field data is not set anyway than to memset the structure. Either way the patches are compatible and can both be applied for a robust fix of the invalid memory access issue.

indutny
indutny reviewed May 18, 2015
View reviewed changes
http_parser.c
if (http_parse_host(buf, u, found_at) != 0) {
return 1;
}
if ((u->field_set & (1 << UF_SCHEMA)) && (u->field_set & (1 << UF_HOST)) == 0) {

This comment was marked as off-topic.

Sign in to view

@indutny
Copy link
Member

indutny commented May 18, 2015

Looks good, but what about failing test? ;)

Fix test failure & 80 char limit.
6862207 
http_parse_host also affects UF_PORT and cannot be moved below the check
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

@indutny oh sorry, I thought I was being smart by moving the host and port checks together, but the http_parse_host also parses the port and needed to go back up. Test works for me now, and I also addressed the 80 char limit.

indutny
indutny reviewed May 18, 2015
View reviewed changes
http_parser.c
@@ -2384,7 +2389,7 @@ http_parser_parse_url(const char *buf, size_t buflen, int is_connect,

/* CONNECT requests can only contain "hostname:port" */
if (is_connect && u->field_set != ((1 << UF_HOST)|(1 << UF_PORT))) {
return 1;
return 1;

This comment was marked as off-topic.

Sign in to view

@indutny
Copy link
Member

indutny commented May 19, 2015

Looks awesome! May I ask you to submit some kind of test for it?

@OnixGH
Copy link
Author

OnixGH commented May 19, 2015

I checked that the test suite reports a failure with the old code and OK with the new code.

@indutny
Copy link
Member

indutny commented May 19, 2015

Aaah, I see :) Thanks.

indutny pushed a commit that referenced this pull request May 19, 2015
@indutny
src: fix invalid memory access in http_parse_host
f6f436a 
http_parse_host() depends on `u->field_data[UF_HOST]`, but this
if() allowed the method to be called if only
`u->field_data[UF_SCHEMA]` was set, resulting in use of
unintialized pointers.

PR-URL: #246
Reviewed-By: Fedor Indutny <fedor@indutny.com>
@indutny
Copy link
Member

indutny commented May 19, 2015

Landed in f6f436a, thank you!

@indutny indutny closed this May 19, 2015
@OnixGH
Copy link
Author

OnixGH commented May 19, 2015

👍

@jasnell jasnell mentioned this pull request Oct 28, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OnixGH @indutny