From 2a99e0920b29cd6baa36dd12c8c24193c0e76f75 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Tue, 20 Jun 2017 23:08:19 +0000 Subject: [PATCH] util.c: ensure all TEST_CHAR loops stop at the null terminator In the aftermath of CVE-2017-7668, decouple the business logic ("is NULL a T_HTTP_CTRL") from the postcondition ("must not go past the end of the string"). The NULL-byte classification in the TEST_CHAR table may change in the future. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1799375 13f79535-47bb-0310-9956-ffa450edef68 --- server/util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server/util.c b/server/util.c index 4018b9f0ed..3c001511be 100644 --- a/server/util.c +++ b/server/util.c @@ -1526,7 +1526,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, while (!string_end) { const unsigned char c = (unsigned char)*cur; - if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP)) { + if (c && !TEST_CHAR(c, T_HTTP_TOKEN_STOP)) { /* Non-separator character; we are finished with leading * whitespace. We must never have encountered any trailing * whitespace before the delimiter (comma) */ @@ -1600,7 +1600,7 @@ AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, */ AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr) { - for ( ; !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ; + for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_CTRLS); ++ptr) ; return ptr; } @@ -1610,7 +1610,7 @@ AP_DECLARE(const char *) ap_scan_http_field_content(const char *ptr) */ AP_DECLARE(const char *) ap_scan_http_token(const char *ptr) { - for ( ; !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ; + for ( ; *ptr && !TEST_CHAR(*ptr, T_HTTP_TOKEN_STOP); ++ptr) ; return ptr; } @@ -1620,7 +1620,7 @@ AP_DECLARE(const char *) ap_scan_http_token(const char *ptr) */ AP_DECLARE(const char *) ap_scan_vchar_obstext(const char *ptr) { - for ( ; TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ; + for ( ; *ptr && TEST_CHAR(*ptr, T_VCHAR_OBSTEXT); ++ptr) ; return ptr; } -- 2.50.1