Skip to content

genesis: fix calling strtoul on non-null terminated string#8422

Open
two-heart wants to merge 1 commit intofiredancer-io:mainfrom
two-heart:genesis-pico-strtoul
Open

genesis: fix calling strtoul on non-null terminated string#8422
two-heart wants to merge 1 commit intofiredancer-io:mainfrom
two-heart:genesis-pico-strtoul

Conversation

@two-heart
Copy link
Contributor

@two-heart two-heart commented Feb 24, 2026

get_token_to_eol prevents oob read, but would still except numeric prefixes -- and is just wrong usage

@two-heart
genesis: fix calling strtoul on non-null terminated string
65ba53f 
get_token_to_eol prevents oob read, but would still except numeric prefixes -- and is just wrong usage
Copilot AI review requested due to automatic review settings February 24, 2026 09:42
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes unsafe parsing of the HTTP Content-Length header in the genesis client by avoiding strtoul on a non–NUL-terminated buffer returned by picohttpparser.

Changes:

  • Add a length-bounded decimal ulong parser for header values.
  • Use the new parser in rpc_phr_content_length to reject non-digit suffixes and avoid out-of-bounds reads.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@two-heart