Be more strict when iterating over parsed headers

lpereira · lpereira · commit 131127511ac7 · 2024-06-01T09:57:06.000-07:00
(This should be moved down a layer so this kind of validation
happens at the parsing time, not where we consume this, but
I'm too lazy to look at that now.)

Found by fuzzing with http-garden.
diff --git a/src/lib/lwan-lua.c b/src/lib/lwan-lua.c
@@ -66,17 +66,21 @@ LWAN_LUA_METHOD(http_headers)
     lua_newtable(L);
 
     for (size_t i = 0; i < helper->n_header_start; i++) {
-        const char *key = helper->header_start[i];
-        const char *key_end = strchr(key, ':');
+        const char *header = helper->header_start[i];
+        const char *next_header = helper->header_start[i + 1];
+        const char *colon = memchr(header, ':', (size_t)(next_header - header));
 
-        if (!key_end)
-            break;
+        if (!colon)
+            continue;
 
-        const char *value = key_end + 2;
-        const char *value_end = helper->header_start[i + 1];
+        const ptrdiff_t header_len = colon - header;
+        const ptrdiff_t value_len = next_header - colon - 4;
+
+        if (header_len < 0 || value_len < 0)
+            continue;
 
-        lua_pushlstring(L, key, (size_t)(key_end - key));
-        lua_pushlstring(L, value, (size_t)(value_end - value - 2));
+        lua_pushlstring(L, header, (size_t)header_len);
+        lua_pushlstring(L, colon + 2, (size_t)value_len);
         lua_rawset(L, -3);
     }
 
diff --git a/src/lib/lwan-request.c b/src/lib/lwan-request.c
@@ -2100,8 +2100,11 @@ void lwan_request_foreach_header_for_cgi(struct lwan_request *request,
         if (!colon)
             continue;
 
-        const size_t header_len = (size_t)(colon - header);
-        const size_t value_len = (size_t)(next_header - colon - 4);
+        const ptrdiff_t header_len = colon - header;
+        const ptrdiff_t value_len = next_header - colon - 4;
+
+        if (header_len < 0 || value_len < 0)
+            continue;
 
         r = snprintf(header_name, sizeof(header_name), "HTTP_%.*s",
                      (int)header_len, header);
@@ -2120,7 +2123,7 @@ void lwan_request_foreach_header_for_cgi(struct lwan_request *request,
             continue;
         }
 
-        cb(header_name, header_len + sizeof("HTTP_") - 1, colon + 2, value_len,
-           user_data);
+        cb(header_name, (size_t)header_len + sizeof("HTTP_") - 1, colon + 2,
+           (size_t)value_len, user_data);
     }
 }
