From 643fac1e01102524e44ead188e865830ebdfb1f4 Mon Sep 17 00:00:00 2001 From: Pyfisch Date: Sun, 5 Mar 2017 12:40:06 +0100 Subject: [PATCH] fix(headers): add length checks to ETag parsing Bug found using `cargo fuzz`. --- src/header/common/etag.rs | 3 +++ src/header/shared/entity.rs | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/header/common/etag.rs b/src/header/common/etag.rs index 068c8599fd..685c5d6342 100644 --- a/src/header/common/etag.rs +++ b/src/header/common/etag.rs @@ -83,6 +83,9 @@ header! { test_header!(test14, vec![b"matched-\"dquotes\""], None::); + test_header!(test15, + vec![b"\""], + None::); } } diff --git a/src/header/shared/entity.rs b/src/header/shared/entity.rs index 3c2d9e6c93..063ecb6d9a 100644 --- a/src/header/shared/entity.rs +++ b/src/header/shared/entity.rs @@ -123,15 +123,17 @@ impl FromStr for EntityTag { let length: usize = s.len(); let slice = &s[..]; // Early exits if it doesn't terminate in a DQUOTE. - if !slice.ends_with('"') { + if !slice.ends_with('"') || slice.len() < 2 { return Err(::Error::Header); } // The etag is weak if its first char is not a DQUOTE. - if slice.starts_with('"') && check_slice_validity(&slice[1..length-1]) { + if slice.len() >= 2 && slice.starts_with('"') + && check_slice_validity(&slice[1..length-1]) { // No need to check if the last char is a DQUOTE, // we already did that above. return Ok(EntityTag { weak: false, tag: slice[1..length-1].to_owned() }); - } else if slice.starts_with("W/\"") && check_slice_validity(&slice[3..length-1]) { + } else if slice.len() >= 4 && slice.starts_with("W/\"") + && check_slice_validity(&slice[3..length-1]) { return Ok(EntityTag { weak: true, tag: slice[3..length-1].to_owned() }); } Err(::Error::Header)