Fix path_info_len underflow in manage-script-name with trailing-slash mountpoints#2774
Open
niol wants to merge 1 commit into
Open
Fix path_info_len underflow in manage-script-name with trailing-slash mountpoints#2774niol wants to merge 1 commit into
niol wants to merge 1 commit into
Conversation
… mountpoints When a request path like /footris exactly matches a mountpoint /footris/ (after stripping the trailing slash for comparison), the manage-script-name code sets script_name_len to 9 (the original mountpoint length including the slash) but orig_path_info_len is only 8. The subtraction orig_path_info_len - script_name_len = -1 wraps to 65535 when stored in the uint16_t path_info_len field. Subsequent code then passes iov_len=65535 to PyUnicode_DecodeLatin1, which reads far past the end of the allocated buffer. On s390x this read crosses into an unmapped page and causes a segfault. Fix: when orig_path_info_len is less than script_name_len (the only case being the exact-match-without-trailing-slash scenario described above), set path_info to an empty string (pointing at the end of the original path_info buffer) with path_info_len = 0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(see https://bugs.debian.org/1133977)
When a request path like
/footrisexactly matches a mountpoint/footris/(after stripping the trailing slash for comparison), the manage-script-name code setsscript_name_lento 9 (the original mountpoint length including the slash) butorig_path_info_lenis only 8. The subtractionorig_path_info_len - script_name_len = -1wraps to 65535 when stored in the uint16_t path_info_len field. Subsequent code then passesiov_len=65535toPyUnicode_DecodeLatin1, which reads far past the end of the allocated buffer. On s390x this read crosses into an unmapped page and causes a segfault.Fix: when
orig_path_info_lenis less thanscript_name_len(the only case being the exact-match-without-trailing-slash scenario described above), setpath_infoto an empty string (pointing at the end of theoriginal path_infobuffer) withpath_info_len = 0.