From b06639f7a7614414ab5e87a93494d8a31c483616 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Thu, 18 Dec 2025 01:49:16 +0100 Subject: [PATCH] http: do not search outside the header value Header values in picohttp are not null-terminated so `strstr` would happily search outside the header value and exceed the length of the header value. This could lead to DoS in artifical circumstances which don't apply to fd in practice. There is always a null byte in memory _somewhere_ after the header value even if it is not actually part of the header value. This is because `fd_http_server_ws_frame`s are allocated after the request buffer that contains the headers and the ws_frames contain four bytes of padding that is zero, because the whole memory we're operating on, has been allocated with `mmap` anonymously which zeroes the memory QED. --- src/waltz/http/fd_http_server.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/waltz/http/fd_http_server.c b/src/waltz/http/fd_http_server.c index 5fe736e1f7d..9eb2aaee835 100644 --- a/src/waltz/http/fd_http_server.c +++ b/src/waltz/http/fd_http_server.c @@ -575,13 +575,14 @@ read_conn_http( fd_http_server_t * http, conn->upgrade_websocket = 0; int compress_websocket = 0; - if( FD_UNLIKELY( upgrade_key && !strncmp( upgrade_key, "websocket", 9UL ) ) ) { + if( FD_UNLIKELY( upgrade_key && !strncasecmp( upgrade_key, "websocket", 9UL ) ) ) { conn->request_bytes_len = (ulong)result; conn->upgrade_websocket = 1; #if FD_HAS_ZSTD for( ulong i=0UL; i