From 1116d034d5354b2975a6089aad66dea00da696f3 Mon Sep 17 00:00:00 2001 From: Erik Dubbelboer Date: Tue, 1 Mar 2022 20:50:12 +0100 Subject: [PATCH] Fix panic while reading invalid trailers --- header.go | 4 ++++ http_test.go | 3 +++ 2 files changed, 7 insertions(+) diff --git a/header.go b/header.go index e74bbc3c7f..7b9df0836f 100644 --- a/header.go +++ b/header.go @@ -2442,6 +2442,10 @@ func (h *RequestHeader) parseTrailer(buf []byte) (int, error) { } func isBadTrailer(key []byte) bool { + if len(key) == 0 { + return true + } + switch key[0] | 0x20 { case 'a': return caseInsensitiveCompare(key, strAuthorization) diff --git a/http_test.go b/http_test.go index 426b70a532..12ca1f1a8e 100644 --- a/http_test.go +++ b/http_test.go @@ -32,6 +32,9 @@ func TestInvalidTrailers(t *testing.T) { if err := (&Response{}).Read(bufio.NewReader(bytes.NewReader([]byte{0x54, 0x52, 0x61, 0x49, 0x4c, 0x65, 0x52, 0x3a, 0x2c, 0x0a, 0x0a}))); !strings.Contains(err.Error(), "cannot find whitespace in the first line of response") { t.Fatal(err) } + if err := (&Request{}).Read(bufio.NewReader(bytes.NewReader([]byte{0xff, 0x20, 0x0a, 0x54, 0x52, 0x61, 0x49, 0x4c, 0x65, 0x52, 0x3a, 0x2c, 0x0a, 0x0a}))); !strings.Contains(err.Error(), "contain forbidden trailer") { + t.Fatal(err) + } b, _ := base64.StdEncoding.DecodeString("tCAKIDoKCToKICAKCToKICAKCToKIAogOgoJOgogIAoJOgovIC8vOi4KOh0KVFJhSUxlUjo9HT09HQpUUmFJTGVSOicQAApUUmFJTGVSOj0gHSAKCT09HQoKOgoKCgo=") if err := (&Request{}).Read(bufio.NewReader(bytes.NewReader(b))); !strings.Contains(err.Error(), "error when reading request headers: invalid header key") {