detect and reject NUL bytes embedded in the request

2024-06-10 08:20:35 +00:00 · 2024-06-10 08:20:35 +00:00 · 36bdda94c1
parent 9325f61db0
commit 36bdda94c1
1 changed files with 10 additions and 0 deletions
--- a/server.c
+++ b/server.c
@ -951,6 +951,8 @@ client_read(struct bufferevent *bev, void *d)
 	struct evbuffer	*src = EVBUFFER_INPUT(bev);
 	const char	*path, *p, *parse_err = "invalid request";
 	char		 decoded[DOMAIN_NAME_LEN];
+	char		*nul;
+	size_t		 len;

 	bufferevent_disable(bev, EVBUFFER_READ);

@ -981,6 +983,14 @@ client_read(struct bufferevent *bev, void *d)
 		return;
 	}

+	nul = strchr(c->req, '\0');
+	len = nul - c->req;
+	if (len != c->reqlen) {
+		log_debug("NUL inside the request IRI");
+		start_reply(c, BAD_REQUEST, "bad request");
+		return;
+	}
+
 	if (!parse_iri(c->req, &c->iri, &parse_err) ||
 	    !puny_decode(c->iri.host, decoded, sizeof(decoded), &parse_err)) {
 		log_debug("IRI parse error: %s", parse_err);