rpki-client: avoid NULL access in http_parse_uri()

Theo Buehler Thu, 18 Mar 2021 07:55:30 -0700

A malformed URI such as "https://[::1/index.html"; causes a NULL access
in the hosttail[1] == ":" check.


Index: http.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
retrieving revision 1.6
diff -u -p -r1.6 http.c
--- http.c      18 Mar 2021 14:08:01 -0000      1.6
+++ http.c      18 Mar 2021 14:43:31 -0000
@@ -357,8 +357,11 @@ http_parse_uri(char *uri, char **ohost, 
        }
        if (*host == '[') {
                char *scope;
-               if ((hosttail = memrchr(host, ']', path - host)) != NULL &&
-                   (hosttail[1] == '/' || hosttail[1] == ':'))
+               if ((hosttail = memrchr(host, ']', path - host)) == NULL) {
+                       warnx("%s: unmatched opening bracket", http_info(uri));
+                       return -1;
+               }
+               if (hosttail[1] == '/' || hosttail[1] == ':')
                        host++;
                if (hosttail[1] == ':')
                        port = hosttail + 1;

rpki-client: avoid NULL access in http_parse_uri()

Reply via email to