Fix wolfIO_DecodeUrl handling of IPv6 brackets.

kareem-wolfssl · kareem-wolfssl · commit 2f7b4d112ff8 · 2026-06-12T13:51:50.000-07:00
Fixes F-4285.
diff --git a/src/wolfio.c b/src/wolfio.c
@@ -1710,6 +1710,12 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,
                     outName[i] = url[cur];
                 i++; cur++;
             }
+            /* A bracketed IPv6 literal must be terminated by ']'. The loop
+             * above can also stop on end-of-buffer, NUL, or the length cap,
+             * none of which represent a well-formed host. Reject those cases
+             * rather than accepting the unterminated tail as the hostname. */
+            if (cur >= urlSz || url[cur] != ']')
+                return WOLFSSL_FATAL_ERROR;
             cur++; /* skip ']' */
         }
         else {

Original file line number	Diff line number	Diff line change
`@@ -1710,6 +1710,12 @@ int wolfIO_DecodeUrl(const char* url, int urlSz, char* outName, char* outPath,`
`1710`	`1710`	`outName[i] = url[cur];`
`1711`	`1711`	`i++; cur++;`
`1712`	`1712`	`}`
	`1713`	`+ /* A bracketed IPv6 literal must be terminated by ']'. The loop`
	`1714`	`+ * above can also stop on end-of-buffer, NUL, or the length cap,`
	`1715`	`+ * none of which represent a well-formed host. Reject those cases`
	`1716`	`+ * rather than accepting the unterminated tail as the hostname. */`
	`1717`	`+ if (cur >= urlSz \|\| url[cur] != ']')`
	`1718`	`+ return WOLFSSL_FATAL_ERROR;`
`1713`	`1719`	`cur++; /* skip ']' */`
`1714`	`1720`	`}`
`1715`	`1721`	`else {`