From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 13 Jul 2021 12:44:15 +0000 (+0300)
Subject: Fix crash in DoH on empty query string in GET requests
X-Git-Tag: v9.17.17~26^2~1
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=64cd7e8a7fe878c331499bb04b93762c221f1f84;p=thirdparty%2Fbind9.git

Fix crash in DoH on empty query string in GET requests

An unhandled code path left GET query string data uninitialised (equal
to NULL) and led to a crash during the requests' base64 data
decoding. This commit fixes that.
---

diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index af0739cbe4c..a51dbf233eb 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -1706,6 +1706,11 @@ server_handle_path_header(isc_nmsocket_t *socket, const uint8_t *value,
 		socket->h2.request_path = NULL;
 		return (ISC_HTTP_ERROR_NOT_FOUND);
 	}
+	/* The spec does not mention which value the query string for POST
+	 * should have. For GET we use its value to decode a DNS message
+	 * from it, for POST the message is transferred in the body of the
+	 * request. Taking it into account, it is much safer to treat POST
+	 * requests with query strings as malformed ones. */
 	if (qstr != NULL) {
 		const char *dns_value = NULL;
 		size_t dns_value_len = 0;
@@ -1734,6 +1739,9 @@ server_handle_path_header(isc_nmsocket_t *socket, const uint8_t *value,
 		} else {
 			return (ISC_HTTP_ERROR_BAD_REQUEST);
 		}
+	} else if (qstr == NULL && socket->h2.request_type == ISC_HTTP_REQ_GET)
+	{
+		return (ISC_HTTP_ERROR_BAD_REQUEST);
 	}
 	return (ISC_HTTP_ERROR_SUCCESS);
 }