From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 12 Oct 2022 21:03:26 +0000 (+0200)
Subject: http_aws_sigv4: fix strlen() check
X-Git-Tag: curl-7_86_0~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57ba1dd51975c95628cc3936ab086f80cba4c2d0;p=thirdparty%2Fcurl.git

http_aws_sigv4: fix strlen() check

The check was off-by-one leading to buffer overflow.

Follow-up to 29c4aa00a16872

Detected by OSS-Fuzz

Closes #9714
---

diff --git a/lib/http_aws_sigv4.c b/lib/http_aws_sigv4.c
index edd0ebe470..440eb385f8 100644
--- a/lib/http_aws_sigv4.c
+++ b/lib/http_aws_sigv4.c
@@ -124,8 +124,9 @@ static void trim_headers(struct curl_slist *head)
 
 #define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date"))
 
+#define MAX_HOST_LEN 255
 /* FQDN + host: */
-#define FULL_HOST_LEN (255 + sizeof("host:"))
+#define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:"))
 
 /* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */
 #define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1)
@@ -162,7 +163,7 @@ static CURLcode make_headers(struct Curl_easy *data,
     head = NULL;
   }
   else {
-    char full_host[FULL_HOST_LEN];
+    char full_host[FULL_HOST_LEN + 1];
 
     if(data->state.aptr.host) {
       size_t pos;
@@ -177,7 +178,7 @@ static CURLcode make_headers(struct Curl_easy *data,
       full_host[pos] = 0;
     }
     else {
-      if(strlen(hostname) > FULL_HOST_LEN) {
+      if(strlen(hostname) > MAX_HOST_LEN) {
         ret = CURLE_URL_MALFORMAT;
         goto fail;
       }