Copilot commented on code in PR #13303:
URL: https://github.com/apache/trafficserver/pull/13303#discussion_r3444409200
##########
plugins/header_rewrite/operators.cc:
##########
@@ -100,10 +100,11 @@ createRequestString(const std::string_view &value, char
(&req_buf)[MAX_SIZE], in
if (TSUrlCreate(url_buf, &url_loc) == TS_SUCCESS && TSUrlParse(url_buf,
url_loc, &start, end) == TS_PARSE_DONE) {
const char *host = TSUrlHostGet(url_buf, url_loc, &host_len);
- const char *url = TSUrlStringGet(url_buf, url_loc, &url_len);
+ char *url = TSUrlStringGet(url_buf, url_loc, &url_len);
*req_buf_size = snprintf(req_buf, MAX_SIZE, "GET %.*s HTTP/1.1\r\nHost:
%.*s\r\n\r\n", url_len, url, host_len, host);
Review Comment:
`TSUrlHostGet()` and `TSUrlStringGet()` can return `nullptr` (e.g.
empty/invalid URL parts). Passing a null pointer to `snprintf("%.*s", ...)` is
undefined behavior, and `snprintf()`'s return value can exceed `MAX_SIZE` (it
reports the *would-have-written* length). If that happens, `req_buf_size`
becomes larger than the actual stack buffer and `TSFetchUrl()` may read past
`req_buf`.
Consider validating `host`/`url` before formatting, and clamp/error out on
truncation so `req_buf_size` never exceeds `MAX_SIZE`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]