aboutsummaryrefslogtreecommitdiff
path: root/lib/transfer.h
diff options
context:
space:
mode:
authorPaul Dreik <github@pauldreik.se>2019-09-20 13:25:20 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-21 15:57:17 +0200
commit47066036a084a9ba0caf46db24072a429c44fabb (patch)
tree3b27e4422c4b17ab6ba1424c77045fef9b07bcdf /lib/transfer.h
parent63a8d2b172072e69c6dc94a3859a759ba0b2d397 (diff)
urlapi: avoid index underflow for short ipv6 hostnames
If the input hostname is "[", hlen will underflow to max of size_t when it is subtracted with 2. hostname[hlen] will then cause a warning by ubsanitizer: runtime error: addition of unsigned offset to 0x<snip> overflowed to 0x<snip> I think that in practice, the generated code will work, and the output of hostname[hlen] will be the first character "[". This can be demonstrated by the following program (tested in both clang and gcc, with -O3) int main() { char* hostname=strdup("["); size_t hlen = strlen(hostname); hlen-=2; hostname++; printf("character is %d\n",+hostname[hlen]); free(hostname-1); } I found this through fuzzing, and even if it seems harmless, the proper thing is to return early with an error. Closes #4389
Diffstat (limited to 'lib/transfer.h')
0 files changed, 0 insertions, 0 deletions