From 78a56cf66f3bbe29f70b19eeaff0dbc63908c677 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Mon, 18 May 2020 17:07:38 -0400 Subject: [PATCH 1/2] fix ubsan errors Signed-off-by: Asra Ali --- lib/nghttp2_buf.c | 6 ++++-- lib/nghttp2_frame.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/nghttp2_buf.c b/lib/nghttp2_buf.c index 2a435beb..a3284471 100644 --- a/lib/nghttp2_buf.c +++ b/lib/nghttp2_buf.c @@ -82,8 +82,10 @@ void nghttp2_buf_reset(nghttp2_buf *buf) { } void nghttp2_buf_wrap_init(nghttp2_buf *buf, uint8_t *begin, size_t len) { - buf->begin = buf->pos = buf->last = buf->mark = begin; - buf->end = begin + len; + buf->begin = buf->pos = buf->last = buf->mark = buf->end = begin; + if (len) { + buf->end += len; + } } static int buf_chain_new(nghttp2_buf_chain **chain, size_t chunk_length, diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c index 4821de40..86dcf9e2 100644 --- a/lib/nghttp2_frame.c +++ b/lib/nghttp2_frame.c @@ -818,8 +818,10 @@ int nghttp2_frame_unpack_origin_payload(nghttp2_extension *frame, size_t len = 0; origin = frame->payload; - p = payload; - end = p + payloadlen; + p = end = payload; + if (payloadlen) { + end += payloadlen; + } for (; p != end;) { if (end - p < 2) { From cf094bd56bd3fbe0037fc72a2ebcee3cb7724b90 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 5 Jun 2020 23:08:58 +0900 Subject: [PATCH 2/2] Fix ubsan applying zero offset to null pointer occurred in unit test --- lib/nghttp2_frame.c | 22 +++++++++++++++++++--- lib/nghttp2_session.c | 12 +++++++++++- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c index 86dcf9e2..382a26c8 100644 --- a/lib/nghttp2_frame.c +++ b/lib/nghttp2_frame.c @@ -899,9 +899,25 @@ nghttp2_settings_entry *nghttp2_frame_iv_copy(const nghttp2_settings_entry *iv, } int nghttp2_nv_equal(const nghttp2_nv *a, const nghttp2_nv *b) { - return a->namelen == b->namelen && a->valuelen == b->valuelen && - memcmp(a->name, b->name, a->namelen) == 0 && - memcmp(a->value, b->value, a->valuelen) == 0; + if (a->namelen != b->namelen || a->valuelen != b->valuelen) { + return 0; + } + + if (a->name == NULL || b->name == NULL) { + assert(a->namelen == 0); + assert(b->namelen == 0); + } else if (memcmp(a->name, b->name, a->namelen) != 0) { + return 0; + } + + if (a->value == NULL || b->value == NULL) { + assert(a->valuelen == 0); + assert(b->valuelen == 0); + } else if (memcmp(a->value, b->value, a->valuelen) != 0) { + return 0; + } + + return 1; } void nghttp2_nv_array_del(nghttp2_nv *nva, nghttp2_mem *mem) { diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 39f81f49..6691d9aa 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -5353,9 +5353,11 @@ static ssize_t inbound_frame_effective_readlen(nghttp2_inbound_frame *iframe, return (ssize_t)(readlen); } +static const uint8_t sin[] = {0}; + ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, size_t inlen) { - const uint8_t *first = in, *last = in + inlen; + const uint8_t *first, *last; nghttp2_inbound_frame *iframe = &session->iframe; size_t readlen; ssize_t padlen; @@ -5366,6 +5368,14 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, size_t pri_fieldlen; nghttp2_mem *mem; + if (in == NULL) { + assert(inlen == 0); + in = sin; + } + + first = in; + last = in + inlen; + DEBUGF("recv: connection recv_window_size=%d, local_window=%d\n", session->recv_window_size, session->local_window_size);