From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 589CB6EC6F; Sat, 13 Feb 2021 21:10:26 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 589CB6EC6F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1613239826; bh=WvrgjDJufk9qFegfSoRrmzheQyAciiRTfCt3WtBK/XI=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=wJ7Y74FSBee9oaxh/LtpLk1oIAgpaAsS8lKNXr5Qq+Vb9U/lUmmyUq7lb0gCNd45E yi1VtYY0BGcCHsS1SUOL7GkJN+f4LBHMYIUIXluLMtWVCZnxyxOOZxpip2tTt+pPrY XJvuuFDqxv3f2C6Ho4c8bXvN3Z7kFHbCkqP8gozo= Received: from smtp37.i.mail.ru (smtp37.i.mail.ru [94.100.177.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 7C29A6EC6F for ; Sat, 13 Feb 2021 21:10:25 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 7C29A6EC6F Received: by smtp37.i.mail.ru with esmtpa (envelope-from ) id 1lAzNA-0007J3-Bg; Sat, 13 Feb 2021 21:10:25 +0300 To: tarantool-patches@dev.tarantool.org, void@tarantool.org, lvasiliev@tarantool.org Date: Sat, 13 Feb 2021 20:43:47 +0300 Message-Id: <9b993ed9540d52ccd07f3c0e675f545801874a11.1613237530.git.sergeyb@tarantool.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD981647AC6901E234B3C0BB31FF5B9BFFCC0C1915C04F25056182A05F5380850400074D6DE300E0330F3E625EB10B7DBDF757CD56B7E023D56B9E1A1B78D2DB891 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE757AEC41D7AA04458EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006378D7045943A292EC88638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FCF77F14199FA8F3C89A26D248004C7D385344A97F2CE9A944389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C07E7E81EEA8A9722B8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6957A4DEDD2346B42CC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB8D32BA5DBAC0009BE9E8FC8737B5C224957ED3C39C57FE2D276E601842F6C81A12EF20D2F80756B5F7E9C4E3C761E06A776E601842F6C81A127C277FBC8AE2E8BE19BFA36BC125AAE3AA81AA40904B5D9DBF02ECDB25306B2B25CBF701D1BE8734AD6D5ED66289B5278DA827A17800CE7F2C1598F50A6BE7867F23339F89546C5A8DF7F3B2552694A6FED454B719173D6725E5C173C3A84C322E8CC72813B2B8435872C767BF85DA2F004C906525384306FED454B719173D6462275124DF8B9C9DE2850DD75B2526BE5BFE6E7EFDEDCD789D4C264860C145E X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C4C7A0BC55FA0FE5FCF77F14199FA8F3C89A26D248004C7D383FDCEE71E11B78D4B1881A6453793CE9C32612AADDFBE06160DAA957BE55B71C9510FB958DCE06DB6ED91DBE5ABE359ADBCB5631A0A9D21F23D4379F09C64C7393EDB24507CE13387DFF0A840B692CF8 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D346C409ABC5F9C579B0E959A3CF2F77CB364FB175AE1732D0A82C49EF9A8F45FE2147233AAE205E6811D7E09C32AA3244C2A61643077AEA4C1ABF7EF569E36B9A27C0C08F7987826B9927AC6DF5659F194 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2bioj+JvDbeHF34yM2jtyPk1gnQ== X-Mailru-Sender: C4F68CFF4024C8867DFDF7C7F25884588A878AD4B95C38123222703B9173EC7220112BA41DEDD83E282EC151BADDC1D3523A6D01B4765B2DFB59E2DDD9FE06B14FA522850F29BC30112434F685709FCF0DA7A0AF5A3A8387 X-Mras: Ok Subject: [Tarantool-patches] [PATCH v1] http_parser: fix UB triggered by using negative array index X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: sergeyb@tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Sergey Bronnikov http_parser() function resolves symbol to lower case using array, where an char code maps to an appropriate symbol. Some symbols may have negative ASCII code, but array index cannot be negative, it is an undefined behaviour. I read parts relevant to message headers in "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing" [1] and "Hypertext Transfer Protocol -- HTTP/1.1" [2] and found that only ASCII symbols only allowed in message headers. It means that symbols with negative ASCII code are not allowed. Patch adds a check for each processed symbol to have positive ASCII code, otherwise function returns HTTP_PARSE_INVALID. 1. RFC 7230 - 3.2 Header Fields, https://tools.ietf.org/html/rfc7230#section-3.2 2. RFC 2616 - Message Headers, https://www.ietf.org/rfc/rfc2616.txt Bug found using LibFuzzer combined with UBsan Closes https://github.com/tarantool/security/issues/6 Needed for: https://github.com/google/oss-fuzz/pull/4723 --- Gitlab CI: https://gitlab.com/tarantool/tarantool/-/pipelines/255857504 Github CI: https://github.com/tarantool/tarantool/commit/9b993ed9540d52ccd07f3c0e675f545801874a11 Issue: https://github.com/tarantool/security/issues/6 Branch: ligurio/http_parser_crash src/lib/http_parser/http_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/http_parser/http_parser.c b/src/lib/http_parser/http_parser.c index 28093b79a..b9bee10f6 100644 --- a/src/lib/http_parser/http_parser.c +++ b/src/lib/http_parser/http_parser.c @@ -255,6 +255,9 @@ http_parse_header_line(struct http_parser *prsr, char **bufp, for (; p < end_buf; p++) { ch = *p; + if (ch < 0) { + return HTTP_PARSE_INVALID; + } switch (state) { /* first char */ case sw_start: -- 2.25.1