Check protocol length so that scanner don't overrun buffer

2014-04-22 23:20:33 +09:00 · 2014-04-22 23:20:33 +09:00 · 5aa0a0d099
parent 80eb988511
commit 5aa0a0d099
1 changed files with 3 additions and 1 deletions
--- a/lib/nghttp2_npn.c
+++ b/lib/nghttp2_npn.c
@ -33,12 +33,14 @@ int nghttp2_select_next_protocol(unsigned char **out, unsigned char *outlen,
  unsigned int i = 0;
  for(; i < inlen; i += in[i]+1) {
    if(in[i] == NGHTTP2_PROTO_VERSION_ID_LEN &&
+       i + 1 + in[i] <= inlen &&
       memcmp(&in[i+1], NGHTTP2_PROTO_VERSION_ID, in[i]) == 0) {
      *out = (unsigned char*)&in[i+1];
      *outlen = in[i];
      return 1;
    }
-    if(in[i] == 8 && memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
+    if(in[i] == 8 && i + 1 + in[i] <= inlen &&
+       memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
      http_selected = 1;
      *out = (unsigned char*)&in[i+1];
      *outlen = in[i];