From: Renaud Allard <renaud@allard.it>
Subject: httpd: canonicalize_path() reads uninitialized stack on ".."
To: tech@openbsd.org
Date: Wed, 8 Apr 2026 12:20:32 +0200

In canonicalize_path() in usr.sbin/httpd/httpd.c, the ".." branch:

	i += 3;
	while (p > start && *p != '/')
		p--;
	*p = '\0';

p has just been advanced past the last written byte via "*p++ = *i;",
so the first "*p" read is of a byte this call never wrote.  The caller
server_response() passes an uninitialized "char path[PATH_MAX];".

Index: usr.sbin/httpd/httpd.c
===================================================================
--- usr.sbin/httpd/httpd.c
+++ usr.sbin/httpd/httpd.c
@@ -627,8 +627,8 @@ canonicalize_path(const char *input, char *path, siz
 		    (i[3] == '/' || i[3] == '\0')) {
 			/* b) revert '..' to previous directory */
 			i += 3;
-			while (p > start && *p != '/')
-				p--;
+			while (p > start && *--p != '/')
+				continue;
 			*p = '\0';
 			continue;
 		} else if (i[1] == '.' &&