mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-27 05:50:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

http_aws_sigv4: fix strlen() check

Browse Source 
The check was off-by-one leading to buffer overflow.

Follow-up to 29c4aa00a1

Detected by OSS-Fuzz

Closes #9714
This commit is contained in:
Daniel Stenberg 2022-10-12 23:03:26 +02:00
parent 0bb2f64905
commit 57ba1dd519
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/http_aws_sigv4.c
View File

@ -124,8 +124,9 @@ static void trim_headers(struct curl_slist *head)
#define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
#define MAX_HOST_LEN 255
/* FQDN + host: */
#define FULL_HOST_LEN (255 + sizeof("host:"))
#define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:"))
/* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
#define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
@ -162,7 +163,7 @@ static CURLcode make_headers(struct Curl_easy *data,
head = NULL;
}
else {
char full_host[FULL_HOST_LEN];
char full_host[FULL_HOST_LEN + 1];
if(data->state.aptr.host) {
size_t pos;
@ -177,7 +178,7 @@ static CURLcode make_headers(struct Curl_easy *data,
full_host[pos] = 0;
}
else {
if(strlen(hostname) > FULL_HOST_LEN) {
if(strlen(hostname) > MAX_HOST_LEN) {
ret = CURLE_URL_MALFORMAT;
goto fail;
}