gotwebd: memleak in (and small refactoring of) fcgi_parse

From:: Stefan Sperling <stsp@stsp.name>
Subject:: Re: gotwebd: memleak in (and small refactoring of) fcgi_parse_record
To:: Omar Polo <op@omarpolo.com>
Cc:: gameoftrees@openbsd.org, Tracey Emery <tracey@traceyemery.net>
Date:: Thu, 1 Sep 2022 11:09:17 +0200

Download raw body.

Thread

2022-09-01 07:42 Stefan Sperling:
gotwebd: memleak in (and small refactoring of) fcgi_parse_record
- 2022-09-01 08:52 Omar Polo:
  gotwebd: memleak in (and small refactoring of) fcgi_parse_record
- - 2022-09-01 09:09 Stefan Sperling:
    gotwebd: memleak in (and small refactoring of) fcgi_parse_record
  - - 2022-09-01 09:36 Stefan Sperling:
      gotwebd: memleak in (and small refactoring of) fcgi_parse_record

On Thu, Sep 01, 2022 at 10:52:01AM +0200, Omar Polo wrote:
> Using a memcpy + explicit NUL terminator (as the original code was
> doing) is probably for the better.  (but change bcopy for memcpy.)

Fine, ok.

Unrelated to your diff, but I'm wondering why 'n' is a uint16_t
instead of uint32_t.

The name_len and val_len values are uint32_t and their combined
max value parsed from client-provided data is 0x7fffffff +
0x7fffffff == 4294967294 which is just below UINT_MAX.
Which could result in 16-bit 'n' wrapping when we subtract at
the end of the loop?

		buf += name_len + val_len;
		n -= name_len - val_len;

2022-09-01 07:42 Stefan Sperling:
gotwebd: memleak in (and small refactoring of) fcgi_parse_record
- 2022-09-01 08:52 Omar Polo:
  gotwebd: memleak in (and small refactoring of) fcgi_parse_record
- - 2022-09-01 09:09 Stefan Sperling:
    gotwebd: memleak in (and small refactoring of) fcgi_parse_record
  - - 2022-09-01 09:36 Stefan Sperling:
      gotwebd: memleak in (and small refactoring of) fcgi_parse_record