diff options
author | Kamil Dudka <kdudka@redhat.com> | 2015-07-23 11:51:53 +0200 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2015-07-23 11:51:53 +0200 |
commit | da650c1e544e3ebb7d43332d0570cd34d31e08b3 (patch) | |
tree | fcc7d05c38046039cf2e955b5964f3696deba803 /lib | |
parent | 40c921f8b825c80bfe0d34f3137f1ece122369c6 (diff) |
http2: verify success of strchr() in http2_send()
Detected by Coverity.
Error: NULL_RETURNS:
lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
1300|
1301| hdbuf = strchr(hdbuf, 0x0a);
1302|-> ++hdbuf;
1303|
1304| authority_idx = 0;
Diffstat (limited to 'lib')
-rw-r--r-- | lib/http2.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/lib/http2.c b/lib/http2.c index 0001fae5d..1a2c48649 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1274,6 +1274,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, } /* Extract :method, :path from request line */ end = strchr(hdbuf, ' '); + if(!end) + goto fail; nva[0].name = (unsigned char *)":method"; nva[0].namelen = (uint16_t)strlen((char *)nva[0].name); nva[0].value = (unsigned char *)hdbuf; @@ -1283,6 +1285,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, hdbuf = end + 1; end = strchr(hdbuf, ' '); + if(!end) + goto fail; nva[1].name = (unsigned char *)":path"; nva[1].namelen = (uint16_t)strlen((char *)nva[1].name); nva[1].value = (unsigned char *)hdbuf; @@ -1299,13 +1303,16 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, nva[2].flags = NGHTTP2_NV_FLAG_NONE; hdbuf = strchr(hdbuf, 0x0a); + if(!hdbuf) + goto fail; ++hdbuf; authority_idx = 0; for(i = 3; i < nheader; ++i) { end = strchr(hdbuf, ':'); - assert(end); + if(!end) + goto fail; if(end - hdbuf == 4 && Curl_raw_nequal("host", hdbuf, 4)) { authority_idx = i; nva[i].name = (unsigned char *)":authority"; @@ -1318,7 +1325,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, hdbuf = end + 1; for(; *hdbuf == ' '; ++hdbuf); end = strchr(hdbuf, 0x0d); - assert(end); + if(!end) + goto fail; nva[i].value = (unsigned char *)hdbuf; nva[i].valuelen = (uint16_t)(end - hdbuf); nva[i].flags = NGHTTP2_NV_FLAG_NONE; @@ -1365,7 +1373,7 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, NULL, NULL); } - free(nva); + Curl_safefree(nva); if(stream_id < 0) { DEBUGF(infof(conn->data, "http2_send() send error\n")); @@ -1405,6 +1413,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, } return len; + + fail: + free(nva); + *err = CURLE_SEND_ERROR; + return -1; } CURLcode Curl_http2_setup(struct connectdata *conn) |