netlib_parseurl.c: Fix string overruns

yamt · yamt · commit 0fe456a80e89 · 2021-05-07T15:28:42.000+09:00
For EINVAL, it doesn't make sense to keep parsing. (For E2BIG, it might make some sense.) Found by LLVM ASan. ``` ================================================================= ==81622==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f2 at pc 0x00010d2746ca bp 0x7ffee29a9980 sp 0x7ffee29a9978 READ of size 1 at 0x6020000000f2 thread T0 #0 0x10d2746c9 in netlib_parseurl netlib_parseurl.c:121 apache#1 0x10d26b293 in parseurl webclient.c:479 apache#2 0x10d265e48 in webclient_perform webclient.c:690 apache#3 0x10d277c5b in main main.c:210 apache#4 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4) 0x6020000000f2 is located 0 bytes to the right of 2-byte region [0x6020000000f0,0x6020000000f2) allocated by thread T0 here: #0 0x10d3996d3 in wrap_strdup+0x203 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x3e6d3) apache#1 0x10d276abe in main main.c:147 apache#2 0x7fff7a06f3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4) SUMMARY: AddressSanitizer: heap-buffer-overflow netlib_parseurl.c:121 in netlib_parseurl Shadow bytes around the buggy address: 0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c0400000000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00 =>0x1c0400000010: fa fa 00 fa fa fa 00 00 fa fa 00 06 fa fa[02]fa 0x1c0400000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==81622==ABORTING ```
diff --git a/netutils/netlib/netlib_parseurl.c b/netutils/netlib/netlib_parseurl.c
@@ -113,21 +113,21 @@ int netlib_parseurl(FAR const char *str, FAR struct url_s *url)
 
   if (*src != ':')
     {
-      ret = -EINVAL;
+      return -EINVAL;
     }
 
   src++;
 
   if (*src != '/')
     {
-      ret = -EINVAL;
+      return -EINVAL;
     }
 
   src++;
 
   if (*src != '/')
     {
-      ret = -EINVAL;
+      return -EINVAL;
     }
 
   src++;

Original file line number	Diff line number	Diff line change
`@@ -113,21 +113,21 @@ int netlib_parseurl(FAR const char str, FAR struct url_s url)`
`113`	`113`
`114`	`114`	`if (*src != ':')`
`115`	`115`	`{`
`116`		`- ret = -EINVAL;`
	`116`	`+ return -EINVAL;`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`src++;`
`120`	`120`
`121`	`121`	`if (*src != '/')`
`122`	`122`	`{`
`123`		`- ret = -EINVAL;`
	`123`	`+ return -EINVAL;`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`src++;`
`127`	`127`
`128`	`128`	`if (*src != '/')`
`129`	`129`	`{`
`130`		`- ret = -EINVAL;`
	`130`	`+ return -EINVAL;`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`src++;`