From 6bce48e99bf7bc325f4047a20828bb8099025dad Mon Sep 17 00:00:00 2001 From: Linus Groh Date: Fri, 10 Feb 2023 21:58:10 +0000 Subject: [PATCH] LibWeb: Fix UAF in convert_header_names_to_a_sorted_lowercase_set() We can't keep a span (ReadonlyBytes) to a move()'d ByteBuffer in the header_names_seen HashTable - copy the original name span instead which works the same thanks to CaseInsensitiveBytesTraits. This would sporadically fail the contains() check due to garbage data, later leading to a VERIFY() crash in the OrderedHashTable append loop. --- Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp index e12604921a..2b5addf6fd 100644 --- a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp +++ b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp @@ -352,7 +352,7 @@ ErrorOr> convert_header_names_to_a_sorted_lowercase continue; auto bytes = TRY(ByteBuffer::copy(name)); Infra::byte_lowercase(bytes); - header_names_seen.set(bytes); + header_names_seen.set(name); header_names_set.append(move(bytes)); }