commit a030517f060ffc45f3e3d1eebe8ad427384dc72f
from: rsadowski <rsadowski@openbsd.org>
date: Sun Jan  4 06:43:34 2026 UTC

validate return_uri_len before copying data

Spotted by tb@, ok claudio

commit - 38978fc61e39a54dc2f9e25e2a3222b5dd5fa4b6
commit + a030517f060ffc45f3e3d1eebe8ad427384dc72f
blob - b45081129b7477a642f044e465c62d7861fb925e
blob + 300a5f2caca68dd2708400099f9a987c8f638c59
--- config.c
+++ config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.67 2025/11/28 16:10:00 rsadowski Exp $	*/
+/*	$OpenBSD: config.c,v 1.68 2026/01/04 06:43:34 rsadowski Exp $	*/
 
 /*
  * Copyright (c) 2011 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -513,6 +513,11 @@ config_getserver_config(struct httpd *env, struct serv
 	/* Reset these variables to avoid free'ing invalid pointers */
 	serverconfig_reset(srv_conf);
 
+	if ((IMSG_DATA_SIZE(imsg) - s) < (size_t)srv_conf->return_uri_len) {
+		log_debug("%s: invalid message length", __func__);
+		goto fail;
+	}
+
 	TAILQ_FOREACH(parent, &srv->srv_hosts, entry) {
 		if (strcmp(parent->name, srv_conf->name) == 0)
 			break;
@@ -531,7 +536,6 @@ config_getserver_config(struct httpd *env, struct serv
 		if ((srv_conf->return_uri = get_data(p + s,
 		    srv_conf->return_uri_len)) == NULL)
 			goto fail;
-		s += srv_conf->return_uri_len;
 	}
 
 	if (srv_conf->flags & SRVFLAG_LOCATION) {