Index | Thread | Search

From:
Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Subject:
httpd: Fix UB in printb_flags due to left-shift into the MSB of a signed int
To:
tech@openbsd.org
Date:
Tue, 17 Dec 2024 22:03:35 -0500

Download raw body.

Thread

  • Ben Kallus:

    httpd: Fix UB in printb_flags due to left-shift into the MSB of a signed int

From httpd.c:1214:
```
1228 if (bits) {
1229   bits++;
1230   while ((i = *bits++)) {
1231     if (v & (1 << (i - 1))) {
```

1231 is UB when `i` is 31 due to left-shifting into the MSB of a
signed int. This happens when processing the last entry of
SRVFLAG_BITS.

Here's a patch to use an unsigned literal, which removes the UB:
Index: httpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.74
diff -u -p -r1.74 httpd.c
--- httpd.c    8 Apr 2024 12:45:18 -0000    1.74
+++ httpd.c    18 Dec 2024 02:26:54 -0000
@@ -1228,7 +1228,7 @@ printb_flags(const uint32_t v, const cha
     if (bits) {
         bits++;
         while ((i = *bits++)) {
-            if (v & (1 << (i - 1))) {
+            if (v & (1u << (i - 1))) {
                 if (any) {
                     *p++ = ',';
                     *p++ = ' ';