demos/http3: fix missing NUL terminator on h3ssl->url

In the HTTP/3 demo server's :path handler, when the path value does not
begin with '/', the value is copied into the fixed-size url[MAXURL]
buffer with memcpy(h3ssl->url, vvalue.base, len) and no terminator is
written. len is capped at MAXURL, so a :path value of MAXURL or more
bytes fills the entire buffer, overwriting the zeroes from the preceding
memset and leaving url without a NUL terminator. The buffer is later
used as a C string by strcat() and strcmp() when building the file name,
resulting in a heap out-of-bounds read and a possible overflow of the
filename[PATH_MAX] buffer. This is reachable from a client-supplied
:path header.

Cap the length at MAXURL - 1 so that the trailing byte zeroed by the
memset always remains, guaranteeing url is NUL-terminated in every
branch. The '/'-prefixed branches are unaffected as they already write
an explicit terminator within the smaller bound.

Fixes #31516

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 16:19:08 2026
(Merged from https://github.com/openssl/openssl/pull/31520)

diff --git a/demos/http3/ossl-nghttp3-demo-server.c b/demos/http3/ossl-nghttp3-demo-server.c
index 92cc10c067a0ca362a7cc9e7e7d443925566f9fd..4529e35268ff17c8893a180e32a809d82daf280f 100644 (file)
--- a/demos/http3/ossl-nghttp3-demo-server.c
+++ b/demos/http3/ossl-nghttp3-demo-server.c
@@ -291,7 +291,7 @@ static int on_recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
     fprintf(stdout, "\n");
 
     if (token == NGHTTP3_QPACK_TOKEN__PATH) {
-        int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL));
+        int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL - 1));
 
         memset(h3ssl->url, 0, sizeof(h3ssl->url));
         if (vvalue.base[0] == '/') {