NULL pointer dereference in httpGetSubField2()

[andreafioraldi]

Hi,
I spotted a bug in http_add_field() (cups/http.c) while fuzzing the HTTP server of CUPS 2.3.0 that causes a NULL pointer dereference in httpGetSubField2().

Look at this snippet from _httpUpdate():

    else if ((field = httpFieldValue(line)) != HTTP_FIELD_UNKNOWN)
    {
      http_add_field(http, field, value, 1);

      if (field == HTTP_FIELD_AUTHENTICATION_INFO)
        httpGetSubField2(http, HTTP_FIELD_AUTHENTICATION_INFO, "nextnonce", http->nextnonce, (int)sizeof(http->nextnonce));
    }

It firstly add the Authentication-Info field and then calls httpGetSubField2().

In this routine at the beginning there is a for loop that iterates over http->field[field] assuming that it is a valid pointer.

  if (!http || !name || !value || valuelen < 2 ||
      field <= HTTP_FIELD_UNKNOWN || field >= HTTP_FIELD_MAX)
    return (NULL);

  end = value + valuelen - 1;

  for (fptr = http->fields[field]; *fptr;) // HERE
  {
   /*
    * Skip leading whitespace...
    */

Now looking at http_add_field() you can see that if valuelen is 0 the routine simply set the first byte of http->_fields[field] to 0 and leave http->fields[field] to NULL.

  valuelen = strlen(value);

  if (!valuelen)
  {
    http->_fields[field][0] = '\0';
    return;
  }

So it's clear that with an empty Authentication-Info field we can crash the application when httpGetSubField2() is called.

The crashing testcase from the fuzzer is:

GET http:https://localhost:631/index.html HTTP/1.1
Authentication-Info:  
Authentication-Info:   7.0

Best Regards,
Andrea

Edit: I'm on Ubuntu 18.04.2 x86_64

[michaelrsweet]

[master c9b65dc] Fix NULL pointer dereference in httpGetField2 (Issue #5598)