Skip to content

Commit 316da5e

Browse files
addaleaxMylesBorins
addaleax
authored and
MylesBorins
committed
src: use correct OOB check for IPv6 parsing
`last_piece` pointed to the end of the 8×16 bit array, so `piece_pointer == last_piece` already means that the pointer is not writable any longer. Previously, this still worked most of the time but could result in an out-of-bounds-write. Also, rename `last_piece` to `buffer_end` to avoid this pitfall. PR-URL: #17470 Reviewed-By: Timothy Gu <[email protected]>
1 parent ca3c255 commit 316da5e

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

src/node_url.cc

+5-5
Original file line numberDiff line numberDiff line change
@@ -650,7 +650,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) {
650650
for (unsigned n = 0; n < 8; n++)
651651
value_.ipv6[n] = 0;
652652
uint16_t* piece_pointer = &value_.ipv6[0];
653-
uint16_t* last_piece = piece_pointer + 8;
653+
uint16_t* const buffer_end = piece_pointer + 8;
654654
uint16_t* compress_pointer = nullptr;
655655
const char* pointer = input;
656656
const char* end = pointer + length;
@@ -665,7 +665,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) {
665665
compress_pointer = piece_pointer;
666666
}
667667
while (ch != kEOL) {
668-
if (piece_pointer > last_piece)
668+
if (piece_pointer >= buffer_end)
669669
return;
670670
if (ch == ':') {
671671
if (compress_pointer != nullptr)
@@ -690,7 +690,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) {
690690
return;
691691
pointer -= len;
692692
ch = pointer < end ? pointer[0] : kEOL;
693-
if (piece_pointer > last_piece - 2)
693+
if (piece_pointer > buffer_end - 2)
694694
return;
695695
numbers_seen = 0;
696696
while (ch != kEOL) {
@@ -744,7 +744,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) {
744744

745745
if (compress_pointer != nullptr) {
746746
swaps = piece_pointer - compress_pointer;
747-
piece_pointer = last_piece - 1;
747+
piece_pointer = buffer_end - 1;
748748
while (piece_pointer != &value_.ipv6[0] && swaps > 0) {
749749
uint16_t temp = *piece_pointer;
750750
uint16_t* swap_piece = compress_pointer + swaps - 1;
@@ -754,7 +754,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) {
754754
swaps--;
755755
}
756756
} else if (compress_pointer == nullptr &&
757-
piece_pointer != last_piece) {
757+
piece_pointer != buffer_end) {
758758
return;
759759
}
760760
type_ = HostType::H_IPV6;

0 commit comments

Comments
 (0)