net/http: panic: runtime error: index out of range (when using a faulty proxy server)

[derlaft]

What version of Go are you using (go version)?

go1.9, problem exists in the master branch

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

not related

What did you do?

use a faulty proxy server

What did you expect to see?

no panic, error is returned

What did you see instead?

a panic

The problem is in this line: https://github.com/golang/go/blob/master/src/net/http/transport.go#L1133

	if resp.StatusCode != 200 {
		f := strings.SplitN(resp.Status, " ", 2)
		conn.Close()
		return nil, errors.New(f[1])
	}

The slice size of f is not checked. Therefore, if resp.Status has no spaces, the following panic is generated instead of the error:

   panic: runtime error: index out of range
   goroutine 101523 [running]:
   net/http.(*Transport).dialConn(0xc4236d3860, 0xd6a780, 0xc42007e030, 0xc4231c1400, 0xa5ed93, 0x5, 0xc420b9dee0, 0xd, 0xc4238a8380, 0x0, ...)
           /usr/lib64/go/src/net/http/transport.go:1128 +0x2090
   net/http.(*Transport).getConn.func4(0xc4236d3860, 0xd6a780, 0xc42007e030, 0xc421372300, 0xc4209a40c0)
           /usr/lib64/go/src/net/http/transport.go:943 +0x78
   created by net/http.(*Transport).getConn
           /usr/lib64/go/src/net/http/transport.go:942 +0x393

[odeke-em]

Thank you for the report @derlaft. This issue is a duplicate of #21701 and there is a CL and test ready for it, we just need to test out the code on Windows and then we'll be ready to merge and fix it. /cc @tombergan

[derlaft]

Thank you. Sorry for the dupe -- I checked the issues before posting, but not carefully enough.

[odeke-em]

That's alright @derlaft, it wasn't an obvious duplicate at all, I too had to double check and it is only by familiarity of that issue that I recalled it :)

[odeke-em]

@derlaft please get the latest from master, this bug was fixed by CL https://go-review.googlesource.com/c/59990/ that was merged already. Thank you for your report.

[anhhh11]

How can I apply these patch to Go official package or must build Go from scratch?

[odeke-em]

@anhhh11 you can take a look at https://golang.org/dl/#unstable or you can build from source as per https://golang.org/doc/install/source

[missdeer]

@odeke-em seemly i meet the same issue with go 1.9.3 on Windows, didn't it be fixed yet?

[odeke-em]

@missdeer it is fixed on Go1.10 and beyond, please try out Go1.10rc1 as per the comments on #22179 (comment)