Skip to content
Snippets Groups Projects
Commit bf36a103 authored by Sergey Bronnikov's avatar Sergey Bronnikov Committed by Kirill Yukhin
Browse files

http_parser: fix UB triggered by using negative array index 

http_parser() function resolves symbol to lower case using array, where
an char code maps to an appropriate symbol. Some symbols may have
negative ASCII code, but array index cannot be negative, it is an
undefined behaviour.

I read parts relevant to message headers in "Hypertext Transfer Protocol
(HTTP/1.1): Message Syntax and Routing" [1] and "Hypertext Transfer
Protocol -- HTTP/1.1" [2] and found that only ASCII symbols only allowed
in message headers. It means that symbols with negative ASCII code are
not allowed. Patch adds a check for each processed symbol to have
positive ASCII code, otherwise function returns HTTP_PARSE_INVALID.

1. RFC 7230 - 3.2 Header Fields, https://tools.ietf.org/html/rfc7230#section-3.2
2. RFC 2616 - Message Headers, https://www.ietf.org/rfc/rfc2616.txt

Bug found using LibFuzzer

Closes https://github.com/tarantool/security/issues/6
Needed for: https://github.com/google/oss-fuzz/pull/4723
parent 376532c2
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment