From: Shmael13 Date: Mon, 15 Jun 2026 16:07:37 +0000 (+0500) Subject: demos/http3: fix missing NUL terminator on h3ssl->url X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b298b4446601301316718e9cd4fc3ecb9856ea8d;p=thirdparty%2Fopenssl.git demos/http3: fix missing NUL terminator on h3ssl->url In the HTTP/3 demo server's :path handler, when the path value does not begin with '/', the value is copied into the fixed-size url[MAXURL] buffer with memcpy(h3ssl->url, vvalue.base, len) and no terminator is written. len is capped at MAXURL, so a :path value of MAXURL or more bytes fills the entire buffer, overwriting the zeroes from the preceding memset and leaving url without a NUL terminator. The buffer is later used as a C string by strcat() and strcmp() when building the file name, resulting in a heap out-of-bounds read and a possible overflow of the filename[PATH_MAX] buffer. This is reachable from a client-supplied :path header. Cap the length at MAXURL - 1 so that the trailing byte zeroed by the memset always remains, guaranteeing url is NUL-terminated in every branch. The '/'-prefixed branches are unaffected as they already write an explicit terminator within the smaller bound. Fixes #31516 Reviewed-by: Tim Hudson Reviewed-by: Norbert Pocs Reviewed-by: Nikola Pajkovsky Reviewed-by: Neil Horman MergeDate: Sun Jun 21 16:19:08 2026 (Merged from https://github.com/openssl/openssl/pull/31520) --- diff --git a/demos/http3/ossl-nghttp3-demo-server.c b/demos/http3/ossl-nghttp3-demo-server.c index 92cc10c067a..4529e35268f 100644 --- a/demos/http3/ossl-nghttp3-demo-server.c +++ b/demos/http3/ossl-nghttp3-demo-server.c @@ -291,7 +291,7 @@ static int on_recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token, fprintf(stdout, "\n"); if (token == NGHTTP3_QPACK_TOKEN__PATH) { - int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL)); + int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL - 1)); memset(h3ssl->url, 0, sizeof(h3ssl->url)); if (vvalue.base[0] == '/') {