You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by xi...@apache.org on 2021/05/08 03:23:14 UTC
[incubator-nuttx-apps] 02/02: netlib_parseurl.c: Fix string overruns
This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx-apps.git
commit 998abe1deb4b9f1f2e0507d6f2157ccd260ed361
Author: YAMAMOTO Takashi <ya...@midokura.com>
AuthorDate: Fri May 7 15:20:34 2021 +0900
netlib_parseurl.c: Fix string overruns
For EINVAL, it doesn't make sense to keep parsing.
(For E2BIG, it might make some sense.)
Found by LLVM ASan.
```
=================================================================
==81622==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f2 at pc 0x00010d2746ca bp 0x7ffee29a9980 sp 0x7ffee29a9978
READ of size 1 at 0x6020000000f2 thread T0
#0 0x10d2746c9 in netlib_parseurl netlib_parseurl.c:121
#1 0x10d26b293 in parseurl webclient.c:479
#2 0x10d265e48 in webclient_perform webclient.c:690
#3 0x10d277c5b in main main.c:210
#4 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4)
0x6020000000f2 is located 0 bytes to the right of 2-byte region [0x6020000000f0,0x6020000000f2)
allocated by thread T0 here:
#0 0x10d3996d3 in wrap_strdup+0x203 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x3e6d3)
#1 0x10d276abe in main main.c:147
#2 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4)
SUMMARY: AddressSanitizer: heap-buffer-overflow netlib_parseurl.c:121 in netlib_parseurl
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x1c0400000010: fa fa 00 fa fa fa 00 00 fa fa 00 06 fa fa[02]fa
0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==81622==ABORTING
```
---
netutils/netlib/netlib_parseurl.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/netutils/netlib/netlib_parseurl.c b/netutils/netlib/netlib_parseurl.c
index 9e46a32..dd10930 100644
--- a/netutils/netlib/netlib_parseurl.c
+++ b/netutils/netlib/netlib_parseurl.c
@@ -113,21 +113,21 @@ int netlib_parseurl(FAR const char *str, FAR struct url_s *url)
if (*src != ':')
{
- ret = -EINVAL;
+ return -EINVAL;
}
src++;
if (*src != '/')
{
- ret = -EINVAL;
+ return -EINVAL;
}
src++;
if (*src != '/')
{
- ret = -EINVAL;
+ return -EINVAL;
}
src++;