Skip to content
This repository was archived by the owner on Nov 6, 2022. It is now read-only.

Fix invalid memory access. #246

Closed
wants to merge 5 commits into from
Closed

Fix invalid memory access. #246

wants to merge 5 commits into from

Conversation

OnixGH
Copy link

@OnixGH OnixGH commented May 18, 2015

http_parse_host() depends on u->field_data[UF_HOST], but this if()
allowed the method to be called if only u->field_data[UF_SCHEMA] was
set, resulting in use of unintialized pointers.

Fix invalid memory access.
104bab7 
http_parse_host() depends on u->field_data[UF_HOST], but this if()
allowed the method to be called if only u->field_data[UF_SCHEMA] was
set, resulting in use of unintialized pointers.
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

This patch fixed a recurring crash in Phusion Passenger (issue report).

Fixup: the patch stopped host parsing in the CONNECT flow.
62cd859 
This update restores that functionality while maintaining the memory
access fix (only call http_parse_host if UF_HOST is set).
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

The thread for 225 is related. However, it seems more logical to protect http_parse_host() from being called if the UF_HOST field data is not set anyway than to memset the structure. Either way the patches are compatible and can both be applied for a robust fix of the invalid memory access issue.

indutny
indutny reviewed May 18, 2015
View reviewed changes
http_parser.c
if (http_parse_host(buf, u, found_at) != 0) {
return 1;
}
if ((u->field_set & (1 << UF_SCHEMA)) && (u->field_set & (1 << UF_HOST)) == 0) {

This comment was marked as off-topic.

# to view

@indutny
Copy link
Member

indutny commented May 18, 2015

Looks good, but what about failing test? ;)

Fix test failure & 80 char limit.
6862207 
http_parse_host also affects UF_PORT and cannot be moved below the check
@OnixGH
Copy link
Author

OnixGH commented May 18, 2015

@indutny oh sorry, I thought I was being smart by moving the host and port checks together, but the http_parse_host also parses the port and needed to go back up. Test works for me now, and I also addressed the 80 char limit.

indutny
indutny reviewed May 18, 2015
View reviewed changes
http_parser.c
@@ -2384,7 +2389,7 @@ http_parser_parse_url(const char *buf, size_t buflen, int is_connect,

/* CONNECT requests can only contain "hostname:port" */
if (is_connect && u->field_set != ((1 << UF_HOST)|(1 << UF_PORT))) {
return 1;
return 1;

This comment was marked as off-topic.

# to view

@indutny
Copy link
Member

indutny commented May 19, 2015

Looks awesome! May I ask you to submit some kind of test for it?

@OnixGH
Copy link
Author

OnixGH commented May 19, 2015

I checked that the test suite reports a failure with the old code and OK with the new code.

@indutny
Copy link
Member

indutny commented May 19, 2015

Aaah, I see :) Thanks.

indutny pushed a commit that referenced this pull request May 19, 2015
@indutny
src: fix invalid memory access in http_parse_host
f6f436a 
http_parse_host() depends on `u->field_data[UF_HOST]`, but this
if() allowed the method to be called if only
`u->field_data[UF_SCHEMA]` was set, resulting in use of
unintialized pointers.

PR-URL: #246
Reviewed-By: Fedor Indutny <fedor@indutny.com>
@indutny
Copy link
Member

indutny commented May 19, 2015

Landed in f6f436a, thank you!

@indutny indutny closed this May 19, 2015
@OnixGH
Copy link
Author

OnixGH commented May 19, 2015

👍

@jasnell jasnell mentioned this pull request Oct 28, 2015
Closed
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OnixGH @indutny