Skip to content

Commit

Permalink
netlib_parseurl.c: Fix string overruns
Browse files Browse the repository at this point in the history
For EINVAL, it doesn't make sense to keep parsing.
(For E2BIG, it might make some sense.)

Found by LLVM ASan.

```
=================================================================
==81622==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f2 at pc 0x00010d2746ca bp 0x7ffee29a9980 sp 0x7ffee29a9978
READ of size 1 at 0x6020000000f2 thread T0
    #0 0x10d2746c9 in netlib_parseurl netlib_parseurl.c:121
    apache#1 0x10d26b293 in parseurl webclient.c:479
    apache#2 0x10d265e48 in webclient_perform webclient.c:690
    apache#3 0x10d277c5b in main main.c:210
    apache#4 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4)

0x6020000000f2 is located 0 bytes to the right of 2-byte region [0x6020000000f0,0x6020000000f2)
allocated by thread T0 here:
    #0 0x10d3996d3 in wrap_strdup+0x203 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x3e6d3)
    apache#1 0x10d276abe in main main.c:147
    apache#2 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4)

SUMMARY: AddressSanitizer: heap-buffer-overflow netlib_parseurl.c:121 in netlib_parseurl
Shadow bytes around the buggy address:
  0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 fa fa fa 00 00 fa fa 00 06 fa fa[02]fa
  0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==81622==ABORTING
```
  • Loading branch information
yamt authored and xiaoxiang781216 committed May 8, 2021
1 parent 73a93e2 commit 998abe1
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions netutils/netlib/netlib_parseurl.c
Original file line number Diff line number Diff line change
Expand Up @@ -113,21 +113,21 @@ int netlib_parseurl(FAR const char *str, FAR struct url_s *url)

if (*src != ':')
{
ret = -EINVAL;
return -EINVAL;
}

src++;

if (*src != '/')
{
ret = -EINVAL;
return -EINVAL;
}

src++;

if (*src != '/')
{
ret = -EINVAL;
return -EINVAL;
}

src++;
Expand Down

0 comments on commit 998abe1

Please sign in to comment.