From cf094bd56bd3fbe0037fc72a2ebcee3cb7724b90 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 5 Jun 2020 23:08:58 +0900 Subject: [PATCH] Fix ubsan applying zero offset to null pointer occurred in unit test --- lib/nghttp2_frame.c | 22 +++++++++++++++++++--- lib/nghttp2_session.c | 12 +++++++++++- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c index 86dcf9e2..382a26c8 100644 --- a/lib/nghttp2_frame.c +++ b/lib/nghttp2_frame.c @@ -899,9 +899,25 @@ nghttp2_settings_entry *nghttp2_frame_iv_copy(const nghttp2_settings_entry *iv, } int nghttp2_nv_equal(const nghttp2_nv *a, const nghttp2_nv *b) { - return a->namelen == b->namelen && a->valuelen == b->valuelen && - memcmp(a->name, b->name, a->namelen) == 0 && - memcmp(a->value, b->value, a->valuelen) == 0; + if (a->namelen != b->namelen || a->valuelen != b->valuelen) { + return 0; + } + + if (a->name == NULL || b->name == NULL) { + assert(a->namelen == 0); + assert(b->namelen == 0); + } else if (memcmp(a->name, b->name, a->namelen) != 0) { + return 0; + } + + if (a->value == NULL || b->value == NULL) { + assert(a->valuelen == 0); + assert(b->valuelen == 0); + } else if (memcmp(a->value, b->value, a->valuelen) != 0) { + return 0; + } + + return 1; } void nghttp2_nv_array_del(nghttp2_nv *nva, nghttp2_mem *mem) { diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 39f81f49..6691d9aa 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -5353,9 +5353,11 @@ static ssize_t inbound_frame_effective_readlen(nghttp2_inbound_frame *iframe, return (ssize_t)(readlen); } +static const uint8_t sin[] = {0}; + ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, size_t inlen) { - const uint8_t *first = in, *last = in + inlen; + const uint8_t *first, *last; nghttp2_inbound_frame *iframe = &session->iframe; size_t readlen; ssize_t padlen; @@ -5366,6 +5368,14 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, size_t pri_fieldlen; nghttp2_mem *mem; + if (in == NULL) { + assert(inlen == 0); + in = sin; + } + + first = in; + last = in + inlen; + DEBUGF("recv: connection recv_window_size=%d, local_window=%d\n", session->recv_window_size, session->local_window_size);