From da650c1e544e3ebb7d43332d0570cd34d31e08b3 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 23 Jul 2015 11:51:53 +0200
Subject: http2: verify success of strchr() in http2_send()

Detected by Coverity.

Error: NULL_RETURNS:
lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
1300|
1301|     hdbuf = strchr(hdbuf, 0x0a);
1302|->   ++hdbuf;
1303|
1304|     authority_idx = 0;
---
 lib/http2.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/http2.c b/lib/http2.c
index 0001fae5d..1a2c48649 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1274,6 +1274,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
   }
   /* Extract :method, :path from request line */
   end = strchr(hdbuf, ' ');
+  if(!end)
+    goto fail;
   nva[0].name = (unsigned char *)":method";
   nva[0].namelen = (uint16_t)strlen((char *)nva[0].name);
   nva[0].value = (unsigned char *)hdbuf;
@@ -1283,6 +1285,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
   hdbuf = end + 1;
 
   end = strchr(hdbuf, ' ');
+  if(!end)
+    goto fail;
   nva[1].name = (unsigned char *)":path";
   nva[1].namelen = (uint16_t)strlen((char *)nva[1].name);
   nva[1].value = (unsigned char *)hdbuf;
@@ -1299,13 +1303,16 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
   nva[2].flags = NGHTTP2_NV_FLAG_NONE;
 
   hdbuf = strchr(hdbuf, 0x0a);
+  if(!hdbuf)
+    goto fail;
   ++hdbuf;
 
   authority_idx = 0;
 
   for(i = 3; i < nheader; ++i) {
     end = strchr(hdbuf, ':');
-    assert(end);
+    if(!end)
+      goto fail;
     if(end - hdbuf == 4 && Curl_raw_nequal("host", hdbuf, 4)) {
       authority_idx = i;
       nva[i].name = (unsigned char *)":authority";
@@ -1318,7 +1325,8 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
     hdbuf = end + 1;
     for(; *hdbuf == ' '; ++hdbuf);
     end = strchr(hdbuf, 0x0d);
-    assert(end);
+    if(!end)
+      goto fail;
     nva[i].value = (unsigned char *)hdbuf;
     nva[i].valuelen = (uint16_t)(end - hdbuf);
     nva[i].flags = NGHTTP2_NV_FLAG_NONE;
@@ -1365,7 +1373,7 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
                                        NULL, NULL);
   }
 
-  free(nva);
+  Curl_safefree(nva);
 
   if(stream_id < 0) {
     DEBUGF(infof(conn->data, "http2_send() send error\n"));
@@ -1405,6 +1413,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex,
   }
 
   return len;
+
+  fail:
+  free(nva);
+  *err = CURLE_SEND_ERROR;
+  return -1;
 }
 
 CURLcode Curl_http2_setup(struct connectdata *conn)
-- 
cgit v1.2.3