I did some testing of the uri_parser module as provided in sys/uri_parser. I believe I discovered an edge-case where the parser performs an out-of-bounds read of the provided buffer. The code causing this is:
thanks for this detailed report (: I was able to reproduce on native and while going through the code I also adjusted the unit tests for the case you presented "A://@". That's correct, right?
Yes, that's correct. I also found a separate issue while testing my fix for this issue. I documented this separately in #15930. Hope that's the correct way to do this. Thanks for your quick fix!
Description
I did some testing of the
uri_parsermodule as provided insys/uri_parser. I believe I discovered an edge-case where the parser performs an out-of-bounds read of the provided buffer. The code causing this is:RIOT/sys/uri_parser/uri_parser.c
Lines 76 to 80 in 9eb6a38
which advances
result->hostwithout a bounds check and even ifuserinfo_lenis zeroresult->hostis still advanced by one byte.Steps to reproduce the issue
Application code:
Minimal
Makefile:Afterwards, compile as:
And run the application using:
Expected results
The application shouldn't crash.
Actual results
Versions
I don't think this is needed, if you need more information let me know.
The text was updated successfully, but these errors were encountered: