From 64934e59f9c06f62fe99466b320cd397c8609807 Mon Sep 17 00:00:00 2001
From: Zhidao HONG <z.hong@f5.com>
Date: Wed, 10 Apr 2024 13:45:34 +0800
Subject: HTTP: Introduce quoted target marker in HTTP parsing

The quoted_target field is to indentify URLs containing
percent-encoded characters. It can be used in places
where you might need to generate new URL, such as in the
proxy module.
It will be used in the subsequent commit.
---
 src/nxt_http_parse.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

(limited to 'src/nxt_http_parse.c')

diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c
index 50cbda2b..48be5bdb 100644
--- a/src/nxt_http_parse.c
+++ b/src/nxt_http_parse.c
@@ -286,13 +286,11 @@ continue_target:
         case NXT_HTTP_TARGET_SPACE:
             rp->target_end = p;
             goto space_after_target;
-#if 0
+
         case NXT_HTTP_TARGET_QUOTE_MARK:
             rp->quoted_target = 1;
             goto rest_of_target;
-#else
-        case NXT_HTTP_TARGET_QUOTE_MARK:
-#endif
+
         case NXT_HTTP_TARGET_HASH:
             rp->complex_target = 1;
             goto rest_of_target;
@@ -434,12 +432,7 @@ space_after_target:
 
         rp->request_line_end = p;
 
-        if (rp->complex_target != 0
-#if 0
-            || rp->quoted_target != 0
-#endif
-           )
-        {
+        if (rp->complex_target || rp->quoted_target) {
             rc = nxt_http_parse_complex_target(rp);
 
             if (nxt_slow_path(rc != NXT_OK)) {
@@ -1041,7 +1034,7 @@ nxt_http_parse_complex_target(nxt_http_request_parse_t *rp)
             break;
 
         case sw_quoted:
-            //rp->quoted_target = 1;
+            rp->quoted_target = 1;
 
             if (ch >= '0' && ch <= '9') {
                 high = (u_char) (ch - '0');
-- 
cgit 


From 04a24f61e069926a6546917ee049dc17fbaf1d03 Mon Sep 17 00:00:00 2001
From: Arjun <pkillarjun@protonmail.com>
Date: Wed, 29 May 2024 13:13:24 +0530
Subject: http: fix use-of-uninitialized-value bug
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This was found via MSan.

In nxt_http_fields_hash() we setup a nxt_lvlhsh_query_t structure and
initialise a couple of its members.

At some point we call

  lhq->proto->alloc(lhq->pool, nxt_lvlhsh_bucket_size(lhq->proto));

Which in this case is

  void *
  nxt_lvlhsh_alloc(void *data, size_t size)
  {
      return nxt_memalign(size, size);
  }

So even though lhq.ppol wasn't previously initialised we don't actually
use it in that particular function.

However MSan triggers on the fact that we are passing an uninitialised
value into that function.

Indeed, compilers will generally complain about such things, e.g

  /* u.c */
  struct t {
  	void *p;
  	int len;
  };

  static void test(void *p __attribute__((unused)), int len)
  {
  	(void)len;
  }

  int main(void)
  {
  	struct t t;

  	t.len = 42;
  	test(t.p, t.len);

  	return 0;
  }

GCC and Clang will produce a -Wuninitialized warning.

But they won't catch the following...

  /* u2.c */
  struct t {
          void *p;
          int len;
  };

  static void _test(void *p __attribute__((unused)), int len)
  {
          (void)len;
  }

  static void test(struct t *t)
  {
          _test(t->p, t->len);
  }

  int main(void)
  {
          struct t t;

          t.len = 42;
          test(&t);

          return 0;
  }

Which is why we don't get a compiler warning about lhq.pool.

In this case initialising lhg.pool even though we don't use it here
seems like the right thing to do and maybe compilers will start being
able to catch these in the future.

Actually GCC with -fanalyzer does catch the above

  $ gcc -Wall -Wextra -O0 -fanalyzer u2.c
  u2.c: In function ‘test’:
  u2.c:15:9: warning: use of uninitialized value ‘*t.p’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
     15 |         _test(t->p, t->len);
        |         ^~~~~~~~~~~~~~~~~~~
    ‘main’: events 1-3
      |
      |   18 | int main(void)
      |      |     ^~~~
      |      |     |
      |      |     (1) entry to ‘main’
      |   19 | {
      |   20 |         struct t t;
      |      |                  ~
      |      |                  |
      |      |                  (2) region created on stack here
      |......
      |   23 |         test(&t);
      |      |         ~~~~~~~~
      |      |         |
      |      |         (3) calling ‘test’ from ‘main’
      |
      +--> ‘test’: events 4-5
             |
             |   13 | static void test(struct t *t)
             |      |             ^~~~
             |      |             |
             |      |             (4) entry to ‘test’
             |   14 | {
             |   15 |         _test(t->p, t->len);
             |      |         ~~~~~~~~~~~~~~~~~~~
             |      |         |
             |      |         (5) use of uninitialized value ‘*t.p’ here
             |

Signed-off-by: Arjun <pkillarjun@protonmail.com>
Link: <https://clang.llvm.org/docs/MemorySanitizer.html>
[ Commit message - Andrew ]
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_http_parse.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/nxt_http_parse.c')

diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c
index 48be5bdb..dd490e72 100644
--- a/src/nxt_http_parse.c
+++ b/src/nxt_http_parse.c
@@ -1182,6 +1182,7 @@ nxt_http_fields_hash(nxt_lvlhsh_t *hash,
 
     lhq.replace = 0;
     lhq.proto = &nxt_http_fields_hash_proto;
+    lhq.pool = NULL;
 
     for (i = 0; i < count; i++) {
         key = NXT_HTTP_FIELD_HASH_INIT;
-- 
cgit