Skip to content

fix: uninitialized read in ipv6_address_rule when "." has no preceding h16#994

Open
alandefreitas wants to merge 2 commits into
boostorg:developfrom
alandefreitas:develop
Open

fix: uninitialized read in ipv6_address_rule when "." has no preceding h16#994
alandefreitas wants to merge 2 commits into
boostorg:developfrom
alandefreitas:develop

Conversation

@alandefreitas
Copy link
Copy Markdown
Member

@alandefreitas alandefreitas commented May 8, 2026
edited
Loading

fix #993

Parsing a URI whose IPv6 host contains . with no preceding h16 (for example https://[::.) read uninitialized memory. The IPv6 rule's bytes buffer is filled as h16 groups are parsed; when a . was encountered immediately after :: (or at the very start), the parser tried to validate it as the first octet of an embedded IPv4 by calling maybe_octet(&bytes[2*(7-n)]), but those bytes had never been written.

In a constexpr context the compiler catches this as a hard error (the example from the issue):

constexpr boost::urls::url_view Parsed =
    boost::urls::parse_uri("https://[::.").value();

At runtime it is undefined behavior.

The fix: In include/boost/url/rfc/impl/ipv6_address_rule.hpp, the . branch now returns error::invalid before the maybe_octet read when no h16 has been parsed in the current segment. The parser already maintains a flag c that means "an h16 was parsed in the current segment" (set true after each h16, reset to false after ::), which is exactly the condition needed.

if(*it == '.')
{
    if(b == -1 && n > 1) { /* not enough h16 */ ... }
    if(! c)
    {
        // missing h16 before "."
        BOOST_URL_CONSTEXPR_RETURN_EC(grammar::error::invalid);
    }
    if(! detail::maybe_octet(&bytes[2*(7-n)])) { ... }
    ...
}

This eliminates the uninitialized read on every reachable path while preserving acceptance of valid inputs like ::1.2.3.4 (where c is true after parsing the leading 1).

@cppalliance-bot
Copy link
Copy Markdown

cppalliance-bot commented May 8, 2026
edited
Loading

An automated preview of the documentation is available at https://994.url.prtest2.cppalliance.org/index.html

If more commits are pushed to the pull request, the docs will rebuild at the same URL.

2026-05-12 15:42:39 UTC

@cppalliance-bot
Copy link
Copy Markdown

cppalliance-bot commented May 8, 2026
edited
Loading

GCOVR code coverage report https://994.url.prtest2.cppalliance.org/gcovr/index.html
LCOV code coverage report https://994.url.prtest2.cppalliance.org/genhtml/index.html
Coverage Diff Report https://994.url.prtest2.cppalliance.org/diff-report/index.html

Build time: 2026-05-12 15:54:49 UTC

@alandefreitas
ci: public-runner fallback via CPPALLIANCE_AWS_POOL_DOWN variable
06bbf90 
Setting the `CPPALLIANCE_AWS_POOL_DOWN` repository variable to `true`
now forces all jobs onto public GitHub-hosted runners, so outages of
the cppalliance AWS self-hosted pool no longer require a CI commit
to revert. Default (unset / `false`) preserves the existing behavior
for boostorg/url.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Uninitialized memory access while parsing invalid ipv6 address

2 participants

@alandefreitas @cppalliance-bot