New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2: avoid strstr() on data not zero terminated #2513

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
1 participant
@bagder
Member

bagder commented Apr 20, 2018

It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.

Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760

http2: avoid strstr() on data not zero terminated
It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.

Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760

@bagder bagder added the HTTP/2 label Apr 20, 2018

@bagder bagder closed this in 1514c44 Apr 20, 2018

@bagder bagder deleted the bagder/http2-avoid-strstr-on-data branch Apr 20, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Jul 19, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.