diff options
| author | Anna Henningsen <anna@addaleax.net> | 2017-12-05 21:40:16 +0300 |
|---|---|---|
| committer | Ruben Bridgewater <ruben@bridgewater.de> | 2017-12-12 18:52:27 +0300 |
| commit | e8a5f7bfb3a4b30b6313247fddd816cc92138193 (patch) | |
| tree | ef039562351988c039590000568b3893b8f52b94 /src/node_url.cc | |
| parent | 9236dfe1ef3becfc02a18770ec5e74bf3b01bd99 (diff) | |
src: use correct OOB check for IPv6 parsing
`last_piece` pointed to the end of the 8×16 bit array,
so `piece_pointer == last_piece` already means that the pointer
is not writable any longer.
Previously, this still worked most of the time but could
result in an out-of-bounds-write.
Also, rename `last_piece` to `buffer_end` to avoid this pitfall.
PR-URL: https://github.com/nodejs/node/pull/17470
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Diffstat (limited to 'src/node_url.cc')
| -rw-r--r-- | src/node_url.cc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/node_url.cc b/src/node_url.cc index 1b90df3b92a..578c73c7f03 100644 --- a/src/node_url.cc +++ b/src/node_url.cc @@ -650,7 +650,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { for (unsigned n = 0; n < 8; n++) value_.ipv6[n] = 0; uint16_t* piece_pointer = &value_.ipv6[0]; - uint16_t* last_piece = piece_pointer + 8; + uint16_t* const buffer_end = piece_pointer + 8; uint16_t* compress_pointer = nullptr; const char* pointer = input; const char* end = pointer + length; @@ -665,7 +665,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { compress_pointer = piece_pointer; } while (ch != kEOL) { - if (piece_pointer > last_piece) + if (piece_pointer >= buffer_end) return; if (ch == ':') { if (compress_pointer != nullptr) @@ -690,7 +690,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { return; pointer -= len; ch = pointer < end ? pointer[0] : kEOL; - if (piece_pointer > last_piece - 2) + if (piece_pointer > buffer_end - 2) return; numbers_seen = 0; while (ch != kEOL) { @@ -744,7 +744,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { if (compress_pointer != nullptr) { swaps = piece_pointer - compress_pointer; - piece_pointer = last_piece - 1; + piece_pointer = buffer_end - 1; while (piece_pointer != &value_.ipv6[0] && swaps > 0) { uint16_t temp = *piece_pointer; uint16_t* swap_piece = compress_pointer + swaps - 1; @@ -754,7 +754,7 @@ void URLHost::ParseIPv6Host(const char* input, size_t length) { swaps--; } } else if (compress_pointer == nullptr && - piece_pointer != last_piece) { + piece_pointer != buffer_end) { return; } type_ = HostType::H_IPV6; |