diff options
author | Anna Henningsen <anna@addaleax.net> | 2017-12-05 19:40:16 +0100 |
---|---|---|
committer | Myles Borins <mylesborins@google.com> | 2018-02-12 19:28:37 -0500 |
commit | 57865a9213c1706de603e29b7647a6040bcc828f (patch) | |
tree | dff4ece61168809590d792fea1bfef5f60246c2f | |
parent | f306d3eb7a7af954352f76c62c7c15427c89d05d (diff) | |
download | node-new-57865a9213c1706de603e29b7647a6040bcc828f.tar.gz |
src: use correct OOB check for IPv6 parsing
`last_piece` pointed to the end of the 8×16 bit array,
so `piece_pointer == last_piece` already means that the pointer
is not writable any longer.
Previously, this still worked most of the time but could
result in an out-of-bounds-write.
Also, rename `last_piece` to `buffer_end` to avoid this pitfall.
Backport-PR-URL: https://github.com/nodejs/node/pull/18324
PR-URL: https://github.com/nodejs/node/pull/17470
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
-rw-r--r-- | src/node_url.cc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/node_url.cc b/src/node_url.cc index aa2709a5f8..82d411d03c 100644 --- a/src/node_url.cc +++ b/src/node_url.cc @@ -650,7 +650,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { for (unsigned n = 0; n < 8; n++) value_.ipv6[n] = 0; uint16_t* piece_pointer = &value_.ipv6[0]; - uint16_t* last_piece = piece_pointer + 8; + uint16_t* const buffer_end = piece_pointer + 8; uint16_t* compress_pointer = nullptr; const char* pointer = input; const char* end = pointer + length; @@ -665,7 +665,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { compress_pointer = piece_pointer; } while (ch != kEOL) { - if (piece_pointer > last_piece) + if (piece_pointer >= buffer_end) return; if (ch == ':') { if (compress_pointer != nullptr) @@ -690,7 +690,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { return; pointer -= len; ch = pointer < end ? pointer[0] : kEOL; - if (piece_pointer > last_piece - 2) + if (piece_pointer > buffer_end - 2) return; numbers_seen = 0; while (ch != kEOL) { @@ -744,7 +744,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { if (compress_pointer != nullptr) { swaps = piece_pointer - compress_pointer; - piece_pointer = last_piece - 1; + piece_pointer = buffer_end - 1; while (piece_pointer != &value_.ipv6[0] && swaps > 0) { uint16_t temp = *piece_pointer; uint16_t* swap_piece = compress_pointer + swaps - 1; @@ -754,7 +754,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { swaps--; } } else if (compress_pointer == nullptr && - piece_pointer != last_piece) { + piece_pointer != buffer_end) { return; } type_ = HostType::H_IPV6; |