From b0309145f0720605d986b5fdf4b9a3abbcf5f6eb Mon Sep 17 00:00:00 2001
From: Koen Zandberg <koen@bergzand.net>
Date: Wed, 18 Jul 2018 14:33:35 +0200
Subject: [PATCH] sock_util: Limit URL scheme size

---
 sys/include/net/sock/util.h | 8 ++++++--
 sys/net/sock/sock_util.c    | 7 ++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/sys/include/net/sock/util.h b/sys/include/net/sock/util.h
index cb5f808559..1f69a9d1d3 100644
--- a/sys/include/net/sock/util.h
+++ b/sys/include/net/sock/util.h
@@ -53,8 +53,9 @@ int sock_udp_ep_fmt(const sock_udp_ep_t *endpoint, char *addr_str, uint16_t *por
  * "host.name:1234" and "/url/path".
  *
  * @note Caller has to make sure hostport and urlpath can hold the results!
- *       Make sure to provide space for SOCK_HOSTPORT_MAXLEN respectively
- *       SOCK_URLPATH_MAXLEN bytes.
+ *       Make sure to provide space for @ref SOCK_HOSTPORT_MAXLEN respectively
+ *       @ref SOCK_URLPATH_MAXLEN bytes.
+ *       Scheme part of the URL is limited to @ref SOCK_SCHEME_MAXLEN length.
  *
  * @param[in]   url         URL to split
  * @param[out]  hostport    where to write host:port
@@ -98,6 +99,9 @@ bool sock_udp_ep_equal(const sock_udp_ep_t *a, const sock_udp_ep_t *b);
  * @name helper definitions
  * @{
  */
+#define SOCK_SCHEME_MAXLEN      (16U)   /**< maximum length of the scheme part
+                                             for sock_urlsplit. Ensures a hard
+                                             limit on the string iterator */
 #define SOCK_HOSTPORT_MAXLEN    (64U)   /**< maximum length of host:port part for
                                              sock_urlsplit() */
 #define SOCK_URLPATH_MAXLEN     (64U)   /**< maximum length path for
diff --git a/sys/net/sock/sock_util.c b/sys/net/sock/sock_util.c
index cbf46f1be1..8a779701e7 100644
--- a/sys/net/sock/sock_util.c
+++ b/sys/net/sock/sock_util.c
@@ -85,8 +85,13 @@ int sock_udp_ep_fmt(const sock_udp_ep_t *endpoint, char *addr_str, uint16_t *por
 
 static char* _find_hoststart(const char *url)
 {
+    /* Increment SOCK_SCHEME_MAXLEN due to comparison with the colon after the
+     * scheme part
+     */
+    size_t remaining = SOCK_SCHEME_MAXLEN + 1;
     char *urlpos = (char*)url;
-    while(*urlpos) {
+    while(*urlpos && remaining) {
+        remaining--;
         if (*urlpos++ == ':') {
             if (strncmp(urlpos, "//", 2) == 0) {
                 return urlpos + 2;
-- 
GitLab