http2: avoid strstr() on data not zero terminated

It's not strictly clear if the API contract allows us to call strstr() on a string that isn't zero terminated even when we know it will find the substring, and clang's ASAN check dislikes us for it. Also added a check of the return code in case it fails, even if I can't think of a situation how that can trigger. Detected by OSS-Fuzz Closes #2513 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
2024-11-27 05:50:21 +08:00 · 2018-04-20 16:32:46 +02:00 · 2018-04-20 16:32:46 +02:00 · 1514c44655
commit 1514c44655
parent b0a50227c0
1 changed files with 5 additions and 2 deletions
--- a/lib/http2.c
+++ b/lib/http2.c
@ -1851,8 +1851,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
    return -1;
  }

-  /* Extract :method, :path from request line */
-  line_end = strstr(hdbuf, "\r\n");
+  /* Extract :method, :path from request line
+     We do line endings with CRLF so checking for CR is enough */
+  line_end = memchr(hdbuf, '\r', len);
+  if(!line_end)
+    goto fail;

  /* Method does not contain spaces */
  end = memchr(hdbuf, ' ', line_end - hdbuf);