Commit b298b44466 for openssl.org
commit b298b4446601301316718e9cd4fc3ecb9856ea8d
Author: Shmael13 <ismailsyed2005@gmail.com>
Date: Mon Jun 15 21:07:37 2026 +0500
demos/http3: fix missing NUL terminator on h3ssl->url
In the HTTP/3 demo server's :path handler, when the path value does not
begin with '/', the value is copied into the fixed-size url[MAXURL]
buffer with memcpy(h3ssl->url, vvalue.base, len) and no terminator is
written. len is capped at MAXURL, so a :path value of MAXURL or more
bytes fills the entire buffer, overwriting the zeroes from the preceding
memset and leaving url without a NUL terminator. The buffer is later
used as a C string by strcat() and strcmp() when building the file name,
resulting in a heap out-of-bounds read and a possible overflow of the
filename[PATH_MAX] buffer. This is reachable from a client-supplied
:path header.
Cap the length at MAXURL - 1 so that the trailing byte zeroed by the
memset always remains, guaranteeing url is NUL-terminated in every
branch. The '/'-prefixed branches are unaffected as they already write
an explicit terminator within the smaller bound.
Fixes #31516
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Sun Jun 21 16:19:08 2026
(Merged from https://github.com/openssl/openssl/pull/31520)
diff --git a/demos/http3/ossl-nghttp3-demo-server.c b/demos/http3/ossl-nghttp3-demo-server.c
index 92cc10c067..4529e35268 100644
--- a/demos/http3/ossl-nghttp3-demo-server.c
+++ b/demos/http3/ossl-nghttp3-demo-server.c
@@ -291,7 +291,7 @@ static int on_recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
fprintf(stdout, "\n");
if (token == NGHTTP3_QPACK_TOKEN__PATH) {
- int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL));
+ int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL - 1));
memset(h3ssl->url, 0, sizeof(h3ssl->url));
if (vvalue.base[0] == '/') {