CVE: CVE-2019-11072 Upstream-Status: Backport Signed-off-by: Ross Burton From 32120d5b8b3203fc21ccb9eafb0eaf824bb59354 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 10 Apr 2019 11:28:10 -0400 Subject: [PATCH] [core] fix abort in http-parseopts (fixes #2945) fix abort in server.http-parseopts with url-path-2f-decode enabled (thx stze) x-ref: "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" https://redmine.lighttpd.net/issues/2945 --- src/burl.c | 6 ++++-- src/t/test_burl.c | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/burl.c b/src/burl.c index 51182628..c4b928fd 100644 --- a/src/burl.c +++ b/src/burl.c @@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i) } } if (qs >= 0) { - memmove(s+j, s+qs, blen - qs); - j += blen - qs; + const int qslen = blen - qs; + memmove(s+j, s+qs, (size_t)qslen); + qs = j; + j += qslen; } buffer_string_set_length(b, j); return qs; diff --git a/src/t/test_burl.c b/src/t/test_burl.c index 7be9be50..f7a16815 100644 --- a/src/t/test_burl.c +++ b/src/t/test_burl.c @@ -97,6 +97,8 @@ static void test_burl_normalize (void) { flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE; run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/")); run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?")); + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?")); run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b")); run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b")); run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/"));