Check protocol length so that scanner don't overrun buffer

This commit is contained in:
Tatsuhiro Tsujikawa 2014-04-22 23:20:33 +09:00
parent 80eb988511
commit 5aa0a0d099

View File

@ -33,12 +33,14 @@ int nghttp2_select_next_protocol(unsigned char **out, unsigned char *outlen,
unsigned int i = 0;
for(; i < inlen; i += in[i]+1) {
if(in[i] == NGHTTP2_PROTO_VERSION_ID_LEN &&
i + 1 + in[i] <= inlen &&
memcmp(&in[i+1], NGHTTP2_PROTO_VERSION_ID, in[i]) == 0) {
*out = (unsigned char*)&in[i+1];
*outlen = in[i];
return 1;
}
if(in[i] == 8 && memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
if(in[i] == 8 && i + 1 + in[i] <= inlen &&
memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
http_selected = 1;
*out = (unsigned char*)&in[i+1];
*outlen = in[i];