detect and reject NUL bytes embedded in the request

author: Omar Polo <op@omarpolo.com> 2024-06-10 08:20:35 +0000
committer: Omar Polo <op@omarpolo.com> 2024-06-10 08:20:35 +0000
commit: 36bdda94c186d284dc0108adb170eda362d2b545 (patch)
tree: 4b792315049a66f98ea03d97aa39ebfc1091d741 /server.c
parent: 9325f61db06f4743f6081a7f899e0eb7ba5c1998 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/server.c b/server.c
index abd697b..7964a74 100644
--- a/server.c
+++ b/server.c
@@ -951,6 +951,8 @@ client_read(struct bufferevent *bev, void *d)
 	struct evbuffer	*src = EVBUFFER_INPUT(bev);
 	const char	*path, *p, *parse_err = "invalid request";
 	char		 decoded[DOMAIN_NAME_LEN];
+	char		*nul;
+	size_t		 len;
 
 	bufferevent_disable(bev, EVBUFFER_READ);
 
@@ -981,6 +983,14 @@ client_read(struct bufferevent *bev, void *d)
 		return;
 	}
 
+	nul = strchr(c->req, '\0');
+	len = nul - c->req;
+	if (len != c->reqlen) {
+		log_debug("NUL inside the request IRI");
+		start_reply(c, BAD_REQUEST, "bad request");
+		return;
+	}
+
 	if (!parse_iri(c->req, &c->iri, &parse_err) ||
 	    !puny_decode(c->iri.host, decoded, sizeof(decoded), &parse_err)) {
 		log_debug("IRI parse error: %s", parse_err);
author	Omar Polo <op@omarpolo.com>	2024-06-10 08:20:35 +0000
committer	Omar Polo <op@omarpolo.com>	2024-06-10 08:20:35 +0000
commit	36bdda94c186d284dc0108adb170eda362d2b545 (patch)
tree	4b792315049a66f98ea03d97aa39ebfc1091d741 /server.c
parent	9325f61db06f4743f6081a7f899e0eb7ba5c1998 (diff)