summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2020-01-31 16:47:39 -0500
committerGlenn Strauss <gstrauss@gluelogic.com>2020-01-31 16:54:59 -0500
commitf37c16aadd0b5fffdb359f38967cc53240250577 (patch)
treefa91d9cfeb7fa27fbd9befac00439da950668202
parent2c409321df0f9302a986f5c2876638b99e8c892e (diff)
downloadlighttpd-1.x-f37c16aadd0b5fffdb359f38967cc53240250577.tar.gz
lighttpd-1.x-f37c16aadd0b5fffdb359f38967cc53240250577.zip
[core] fix one-byte OOB read (underflow)
In some circumstances, if the character on the heap prior to the beginning of the request is '\r', then it would be overwritten with '\0' With default compiler flags, this does not appear to occur in practice and we therefore believe it to be a low-probability vulnerability. (thx Antonio Morales) This issue was discovered and reported by GSL team member @ <https://github.com/antonio-morales>antonio-morales <https://github.com/antonio-morales> (Antonio Morales)
-rw-r--r--src/request.c2
1 files changed, 0 insertions, 2 deletions
diff --git a/src/request.c b/src/request.c
index 7ce30869..9be71b1e 100644
--- a/src/request.c
+++ b/src/request.c
@@ -603,9 +603,7 @@ static size_t http_request_parse_reqline(server *srv, connection *con, buffer *h
size_t j, jlen;
/* \r\n -> \0\0 */
- #ifdef __COVERITY__
if (0 == i) return 400;
- #endif
if (ptr[i-1] == '\r') {
ptr[i-1] = '\0';
} else if (http_header_strict) { /* '\n' */