libretro-common/net: Priority B hardening in net_http.c

LibretroAdmin · LibretroAdmin · commit eb86df008deb · 2026-04-19T22:00:35.000+02:00
Follow-up to commit 66155ff. Seven additional fixes in net_http.c covering the remaining unchecked-allocation sites and the chunked-encoding body parser. One of them (the Content-Length/chunked collision) is a real OOB read driven by a hostile server response; the rest are OOM hardening and a code-quality cleanup. net_http: reset response->len when entering T_CHUNK body A hostile server that sends BOTH "Content-Length: N" and "Transfer-Encoding: chunked" headers leaves response->len set to N (from the Content-Length pass) while the body parser switches to T_CHUNK mode. The chunked path uses response->len as the *position* of the current chunklen line and reads: memchr(response->data + response->len + 2, ..., response->pos - response->len - 2); With len=N and pos=0 (fresh after header processing), the subtraction "pos - len" is an unsigned wrap to a huge size_t and memchr() does a wild OOB read at "data + N + 2" for roughly SIZE_MAX bytes. Fix: when the blank line ends the header block and we transition to P_BODY_CHUNKLEN, explicitly set response->len = 0 to match the chunked-path contract. net_http: cap chunked chunklen at NET_HTTP_MAX_CONTENT_LENGTH strtoul(hex) accepts arbitrarily large values. A hostile server advertising a chunklen of ffffffffffffffff keeps the client in a receive loop indefinitely (each net_http_update() tick decrements a tiny amount from response->len, never reaching zero). Bandwidth / time DoS. Fix: reuse the existing NET_HTTP_MAX_CONTENT_LENGTH cap (256 MiB) for chunks too; oversized chunklen sets state->err and the dispatch loop tears down the transfer cleanly. net_http: realloc NULL checks in chunked body parser Three realloc() calls in net_http_receive_body (end-of-body shrink, end-of-transfer shrink, mid-parse grow) ignored their return values. On OOM the original buffer leaked AND response->data became NULL, which the rest of the function (and subsequent update ticks) dereference. Fix: tmp pointer pattern + state->err + return false to abort cleanly, matching the fix for the header-side reallocs from commit 66155ff. net_http: redirect path hardening net_http_redirect had four unchecked allocations: * strdup(new_url->domain) and strdup(new_url->path) (absolute redirect path) * strdup(location) (relative redirect, absolute path) * malloc(PATH_MAX_LENGTH) (relative redirect, relative path) * realloc(response->data, 64*1024) (response buffer reset) Each failure left a later strlen()/memcpy()/... target NULL or overwrote state->request.path with NULL. Fix: check each allocation, on failure set state->err and return true so the dispatch loop treats the transfer as finished-with-error and tears it down via the normal path. net_http: connection_done malloc NULL check The urlcopy expansion branch (hit when a URL has query parms but no port and no path separator, e.g. "site.com?x=1") did an unchecked malloc followed by two memcpys. On OOM the memcpys would NULL-deref. Fix: check the malloc and return false; caller treats false as a malformed URL and frees the partially-initialised connection via net_http_connection_free. net_http: connection_set_content malloc NULL check The postdata malloc was unchecked before the memcpy. Fix: if malloc fails, leave postdata NULL and reset contentlength to 0 so net_http_send_request does not advertise a Content-Length it cannot honour. net_http: urlencode malloc NULL check net_http_urlencode's output buffer malloc was unchecked and the encoding loop then wrote to the NULL pointer. Fix: leave *dest NULL and return on malloc failure. Callers who need to distinguish success/failure already check *dest against NULL (the typical URL-builder pattern). net_http: stack buffer for Content-Length digit string net_http_send_request allocated a small buffer via malloc to hold the decimal representation of request->contentlength, then snprintf'd into it. Pre-patch the malloc was unchecked and snprintf-into-NULL would crash. The value is at most 20 digits (UINT64_MAX + NUL), so switch to a 32-byte stack buffer and drop the malloc entirely. Also replace the subsequent strlen() with the snprintf return length. Reachability: * The Content-Length/chunked collision is remotely triggerable by a malicious server response; ~every HTTP/1.1 server distinguishes between the two body framings but a malicious one is free to send both. * The chunklen cap closes a bandwidth/time DoS on the same attack surface. * The remaining OOM fixes are crash avoidance on constrained devices. VC6 compatibility: the file is compiled on all platforms. The fix uses only size_t / ssize_t / int and standard comparisons; no new headers. The 32-byte stack buffer for the Content-Length string replaces the malloc path on both MSVC (_WIN32) and non-MSVC branches. Regression test: NONE, for the same reasons as the parent patch (net_http.c internals are static and exercised by net_http_update which dispatches to sockets). Compile-verified under -Wall -Werror for both -DHAVE_THREADS and no-threads configs. Full libretro-common samples CI dry-run: Built: 14 Ran: 14 Failed: 0 (the existing http_parse_test in that allowlist passes unchanged)
diff --git a/libretro-common/net/net_http.c b/libretro-common/net/net_http.c
@@ -250,6 +250,13 @@ void net_http_urlencode(char **dest, const char *source)
    enc   = (char*)malloc(len + 1);
    *dest = enc;
 
+   /* Malloc failure: leave *dest NULL and bail.  Callers that
+    * dereference the result (common in URL-builder flows) will
+    * then hit a single deliberate NULL check instead of a random
+    * crash in the encoding loop below. */
+   if (!enc)
+      return;
+
    /* Second pass: encode */
    for (s = source; *s; s++)
    {
@@ -453,6 +460,12 @@ bool net_http_connection_done(struct http_connection_t *conn)
          size_t domain_len   = strlen(conn->domain);
          size_t path_len     = strlen(conn->scan);
          char* urlcopy       = (char*)malloc(domain_len + path_len + 2);
+         /* Malloc failure: leave conn untouched and return false
+          * so the caller does not use a partially-initialised
+          * connection.  Without this check the following memcpy
+          * would NULL-deref. */
+         if (!urlcopy)
+            return false;
          memcpy(urlcopy, conn->domain, domain_len);
          urlcopy[domain_len] = '\0';
          memcpy(urlcopy + domain_len + 1, conn->scan, path_len + 1);
@@ -530,7 +543,15 @@ void net_http_connection_set_content(
    if (content_length)
    {
       conn->postdata = malloc(content_length);
-      memcpy(conn->postdata, content, content_length);
+      if (conn->postdata)
+         memcpy(conn->postdata, content, content_length);
+      else
+      {
+         /* Malloc failure: leave postdata NULL and reset
+          * contentlength so net_http_send_request does not
+          * advertise a Content-Length it cannot honour. */
+         conn->contentlength = 0;
+      }
    }
 }
 
@@ -1114,8 +1135,8 @@ static bool net_http_send_request(struct http_t *state)
    }
    if (request->method && request->method[0] == 'P')
    {
-      size_t _len, len;
-      char *len_str = NULL;
+      size_t _len;
+      int    len;
       if (     !request->postdata
             && request->method[1] == 'O' /* POST, not PUT */
             && request->contentlength > 0)
@@ -1130,19 +1151,27 @@ static bool net_http_send_request(struct http_t *state)
                sizeof("Content-Type: application/x-www-form-urlencoded\r\n")-1);
       net_http_send_str(state, "Content-Length: ", sizeof("Content-Length: ")-1);
       _len = request->contentlength;
+      /* Use a stack buffer -- the maximum decimal representation
+       * of a size_t is 20 digits (UINT64_MAX) + NUL, well within
+       * 32 bytes.  Pre-patch this was a malloc/snprintf pair
+       * whose malloc was never NULL-checked; a snprintf-into-NULL
+       * crash on OOM was the tail end of that sequence. */
+      {
+         char len_buf[32];
 #ifdef _WIN32
-      len     = snprintf(NULL, 0, "%" PRIuPTR, _len);
-      len_str = (char*)malloc(len + 1);
-      snprintf(len_str, len + 1, "%" PRIuPTR, _len);
+         len = snprintf(len_buf, sizeof(len_buf), "%" PRIuPTR, _len);
 #else
-      len     = snprintf(NULL, 0, "%llu", (long long unsigned)_len);
-      len_str = (char*)malloc(len + 1);
-      snprintf(len_str, len + 1, "%llu", (long long unsigned)_len);
+         len = snprintf(len_buf, sizeof(len_buf), "%llu",
+               (long long unsigned)_len);
 #endif
-      len_str[len] = '\0';
-      net_http_send_str(state, len_str, strlen(len_str));
+         if (len < 0)
+            len = 0;
+         else if ((size_t)len >= sizeof(len_buf))
+            len = sizeof(len_buf) - 1;
+         len_buf[len] = '\0';
+         net_http_send_str(state, len_buf, (size_t)len);
+      }
       net_http_send_str(state, "\r\n", sizeof("\r\n")-1);
-      free(len_str);
    }
    net_http_send_str(state, "User-Agent: ", sizeof("User-Agent: ")-1);
    if (request->useragent)
@@ -1241,7 +1270,21 @@ static ssize_t net_http_receive_header(struct http_t *state, ssize_t len)
             {
                response->part = P_BODY;
                if (response->bodytype == T_CHUNK)
+               {
                   response->part = P_BODY_CHUNKLEN;
+                  /* The chunked body parser uses response->len as
+                   * the position of the current chunklen line --
+                   * must start at 0.  A hostile server that sent
+                   * both "Content-Length: N" and
+                   * "Transfer-Encoding: chunked" would otherwise
+                   * leave response->len set to N from the
+                   * Content-Length pass, and the first chunked
+                   * parse step computed "response->pos -
+                   * response->len" as an unsigned wrap to a huge
+                   * value.  memchr() at that offset is a wild
+                   * OOB read. */
+                  response->len = 0;
+               }
             }
             scan = lineend + 1;
             continue;
@@ -1396,6 +1439,18 @@ static bool net_http_receive_body(struct http_t *state, ssize_t newlen)
             if (end)
             {
                size_t chunklen = strtoul(response->data + response->len, NULL, 16);
+               /* Cap the chunk length at the same Content-Length
+                * ceiling.  A hostile server sending a chunklen
+                * like ffffffffffffffff drives the client into
+                * an effectively unbounded receive loop (each
+                * net_http_update tick nibbles at response->len
+                * and response->len never reaches zero). */
+               if (chunklen > NET_HTTP_MAX_CONTENT_LENGTH)
+               {
+                  response->part = P_DONE;
+                  state->err     = true;
+                  return false;
+               }
                response->pos   = response->len;
                end++;
 
@@ -1413,9 +1468,17 @@ static bool net_http_receive_body(struct http_t *state, ssize_t newlen)
                response->part = P_BODY;
                if (response->len == 0)
                {
+                  char *tmp;
                   response->part = P_DONE;
                   response->len  = response->pos;
-                  response->data = (char*)realloc(response->data, response->len);
+                  tmp            = (char*)realloc(response->data,
+                        response->len);
+                  if (!tmp)
+                  {
+                     state->err = true;
+                     return false;
+                  }
+                  response->data = tmp;
                   return true;
                }
                goto parse_again;
@@ -1446,24 +1509,46 @@ static bool net_http_receive_body(struct http_t *state, ssize_t newlen)
       {
          response->part = P_DONE;
          if (response->buflen != response->len)
-            response->data = (char*)realloc(response->data, response->len);
+         {
+            char *tmp = (char*)realloc(response->data, response->len);
+            if (!tmp)
+            {
+               state->err = true;
+               return false;
+            }
+            response->data = tmp;
+         }
          return true;
       }
    }
 
    if (response->pos >= response->buflen)
    {
+      char *tmp;
       response->buflen *= 2;
-      response->data    = (char*)realloc(response->data, response->buflen);
+      tmp               = (char*)realloc(response->data, response->buflen);
+      if (!tmp)
+      {
+         state->err = true;
+         return false;
+      }
+      response->data    = tmp;
    }
    return true;
 }
 
 static bool net_http_redirect(struct http_t *state, const char *location)
 {
-   /* This reinitializes state based on the new location */
+   /* This reinitializes state based on the new location.  Every
+    * allocation below is checked; on any failure state->err is
+    * set and we return true (the dispatch loop reads that as
+    * "transfer finished with an error"), leaving the state in a
+    * safe-to-delete shape. */
 
    /* URL may be absolute or relative to the current URL */
+   char *new_domain = NULL;
+   char *new_path   = NULL;
+   char *tmp;
    bool absolute = (!strncmp(location, "http://", sizeof("http://")-1)
                  || !strncmp(location, "https://", sizeof("https://")-1));
 
@@ -1476,42 +1561,72 @@ static bool net_http_redirect(struct http_t *state, const char *location)
       if (!net_http_connection_done(new_url))
       {
          net_http_connection_free(new_url);
+         state->err = true;
          return true;
       }
-      state->ssl = new_url->ssl;
+      new_domain = strdup(new_url->domain);
+      new_path   = strdup(new_url->path);
+      if (!new_domain || !new_path)
+      {
+         free(new_domain);
+         free(new_path);
+         net_http_connection_free(new_url);
+         state->err = true;
+         return true;
+      }
+      state->ssl  = new_url->ssl;
+      state->request.port = new_url->port;
       if (state->request.domain)
          free(state->request.domain);
-      state->request.domain = strdup(new_url->domain);
-      state->request.port = new_url->port;
+      state->request.domain = new_domain;
       if (state->request.path)
          free(state->request.path);
-      state->request.path = strdup(new_url->path);
+      state->request.path = new_path;
       net_http_connection_free(new_url);
    }
    else
    {
       if (*location == '/')
       {
+         new_path = strdup(location);
+         if (!new_path)
+         {
+            state->err = true;
+            return true;
+         }
          if (state->request.path)
             free(state->request.path);
-         state->request.path = strdup(location);
+         state->request.path = new_path;
       }
       else
       {
-         char *path = (char*)malloc(PATH_MAX_LENGTH);
-         fill_pathname_resolve_relative(path, state->request.path,
+         new_path = (char*)malloc(PATH_MAX_LENGTH);
+         if (!new_path)
+         {
+            state->err = true;
+            return true;
+         }
+         fill_pathname_resolve_relative(new_path, state->request.path,
          location, PATH_MAX_LENGTH);
          free(state->request.path);
-         state->request.path = path;
+         state->request.path = new_path;
       }
    }
    state->request_sent       = false;
    state->response.part      = P_HEADER_TOP;
    state->response.status    = -1;
    /* Start with larger buffer to reduce reallocations */
    state->response.buflen    = 64 * 1024;
-   state->response.data      = (char*)realloc(state->response.data,
-   state->response.buflen);
+   tmp = (char*)realloc(state->response.data, state->response.buflen);
+   if (!tmp)
+   {
+      /* Keep the existing buffer; state->data is still valid.
+       * Mark the transfer as errored so the dispatch loop tears
+       * it down. */
+      state->err = true;
+      return true;
+   }
+   state->response.data      = tmp;
    state->response.pos       = 0;
    state->response.len       = 0;
    state->response.bodytype  = T_FULL;
