Tarantool development patches archive
 help / color / mirror / Atom feed
* [Tarantool-patches] [PATCH v1] http_parser: fix UB triggered by using negative array index
@ 2021-02-13 17:43 Sergey Bronnikov via Tarantool-patches
  0 siblings, 0 replies; only message in thread
From: Sergey Bronnikov via Tarantool-patches @ 2021-02-13 17:43 UTC (permalink / raw)
  To: tarantool-patches, void, lvasiliev

From: Sergey Bronnikov <sergeyb@tarantool.org>

http_parser() function resolves symbol to lower case using array, where
an char code maps to an appropriate symbol. Some symbols may have
negative ASCII code, but array index cannot be negative, it is an
undefined behaviour.

I read parts relevant to message headers in "Hypertext Transfer Protocol
(HTTP/1.1): Message Syntax and Routing" [1] and "Hypertext Transfer
Protocol -- HTTP/1.1" [2] and found that only ASCII symbols only allowed
in message headers. It means that symbols with negative ASCII code are
not allowed. Patch adds a check for each processed symbol to have
positive ASCII code, otherwise function returns HTTP_PARSE_INVALID.

1. RFC 7230 - 3.2 Header Fields, https://tools.ietf.org/html/rfc7230#section-3.2
2. RFC 2616 - Message Headers, https://www.ietf.org/rfc/rfc2616.txt

Bug found using LibFuzzer combined with UBsan

Closes https://github.com/tarantool/security/issues/6
Needed for: https://github.com/google/oss-fuzz/pull/4723
Gitlab CI: https://gitlab.com/tarantool/tarantool/-/pipelines/255857504
Github CI: https://github.com/tarantool/tarantool/commit/9b993ed9540d52ccd07f3c0e675f545801874a11
Issue: https://github.com/tarantool/security/issues/6
Branch: ligurio/http_parser_crash

 src/lib/http_parser/http_parser.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib/http_parser/http_parser.c b/src/lib/http_parser/http_parser.c
index 28093b79a..b9bee10f6 100644
--- a/src/lib/http_parser/http_parser.c
+++ b/src/lib/http_parser/http_parser.c
@@ -255,6 +255,9 @@ http_parse_header_line(struct http_parser *prsr, char **bufp,
 	for (; p < end_buf; p++) {
 		ch = *p;
+		if (ch < 0) {
+		}
 		switch (state) {
 		/* first char */
 		case sw_start:

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-02-13 18:10 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-13 17:43 [Tarantool-patches] [PATCH v1] http_parser: fix UB triggered by using negative array index Sergey Bronnikov via Tarantool-patches

Tarantool development patches archive

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lists.tarantool.org/tarantool-patches/0 tarantool-patches/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 tarantool-patches tarantool-patches/ https://lists.tarantool.org/tarantool-patches \
	public-inbox-index tarantool-patches

Example config snippet for mirrors.

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git