escape_with_table invalid access

[mmmds]

cherokee/buffer.c:

[...]
escape_with_table (cherokee_buffer_t *buffer,
1342                     cherokee_buffer_t *src,
1343                     uint32_t          *is_char_escaped)
[...]
1346  	const char *s,*s_next;
[...]
1359  	s = src->buf;
1360  	do {
1361  		s_next = utf8_get_next_char (s);
1362  
1363  		/* It's single-byte character */
1364  		if ((s_next - s) == 1) {
1365  
1366  			/* Check whether it has to be escaped */
1367  			if (is_char_escaped[*s >> 5] & (1 << (*s & 0x1f))) {
[...]

in the line 1367 *s is used to index is_char_escaped table. Because *s is signed
then we can get (negative value) >> 5 which results in negative value, so
we access memory before is_char_escaped.

Simple PoC to reproduce

echo -e "GET http://SilaHonorUlica/test8/test\xff.html HTTP/1.1\nHost: xoxoxo\nUser-Agent: netcat\n\n" | nc ::1 8765

test8 is a handler for proxy module

Patch for this issue:

diff --git a/cherokee/buffer.c b/cherokee/buffer.c
index d93c163..9250c5c 100644
--- a/cherokee/buffer.c
+++ b/cherokee/buffer.c
@@ -1343,8 +1343,8 @@ escape_with_table (cherokee_buffer_t *buffer,
                    uint32_t          *is_char_escaped)
 {
        char *t;
-       const char *s,*s_next;
-       char *end;
+       const unsigned char *s,*s_next;
+       unsigned char *end;
        cuint_t        n_escape    = 0;
        static char    hex_chars[] = "0123456789abcdef";

Setup:

• Ubuntu 18.04 64 bit

• source code from github, commit 9a75e65

• build command:

ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make

• files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
• configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust