From: Neil Horman <nhorman@openssl.org>
Date: Fri, 13 Dec 2024 13:54:49 +0000 (-0500)
Subject: Correct copying of the url value
X-Git-Tag: openssl-3.5.0-alpha1~281
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=861a322400da021c524410452deaeefbf8d048fb;p=thirdparty%2Fopenssl.git

Correct copying of the url value

When setting up the url value we copy data from memory regions that
overlap, it leads to bogus output, correct that.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26180)
---

diff --git a/demos/http3/ossl-nghttp3-demo-server.c b/demos/http3/ossl-nghttp3-demo-server.c
index dcfd652ca2d..2541d78d369 100644
--- a/demos/http3/ossl-nghttp3-demo-server.c
+++ b/demos/http3/ossl-nghttp3-demo-server.c
@@ -289,15 +289,15 @@ static int on_recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
     if (token == NGHTTP3_QPACK_TOKEN__PATH) {
         int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL));
 
-        memcpy(h3ssl->url, vvalue.base, len);
-        if (h3ssl->url[0] == '/') {
-            if (h3ssl->url[1] == '\0') {
+        memset(h3ssl->url, 0, sizeof(h3ssl->url));
+        if (vvalue.base[0] == '/') {
+            if (vvalue.base[1] == '\0') {
                 strncpy(h3ssl->url, "index.html", MAXURL);
-                h3ssl->url[MAXURL - 1] = '\0';
             } else {
-                memcpy(h3ssl->url, h3ssl->url + 1, len - 1);
-                h3ssl->url[len - 1] = '\0';
+                memcpy(h3ssl->url, &vvalue.base[1], len - 1);
             }
+        } else {
+            memcpy(h3ssl->url, vvalue.base, len);
         }
     }