From 6a6def775db00a88fa800ea4d08e6519539dacde Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Fri, 5 Jun 2020 10:01:19 +0100
Subject: [PATCH] [uri] Avoid appearing to access final byte of a potentially
 empty string

The URI parsing code for "host[:port]" checks that the final character
is not ']' in order to allow for IPv6 literals.  If the entire
"host[:port]" portion of the URL is an empty string, then this will
access the preceding character.  This does not result in accessing
invalid memory (since the string is guaranteed by construction to
always have a preceding character) and does not result in incorrect
behaviour (since if the string is empty then strrchr() is guaranteed
to return NULL), but it does make the code confusing to read.

Fix by inverting the order of the two tests.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/core/uri.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/core/uri.c b/src/core/uri.c
index 73ad2b227..e9e512ab4 100644
--- a/src/core/uri.c
+++ b/src/core/uri.c
@@ -413,8 +413,8 @@ struct uri * parse_uri ( const char *uri_string ) {
 	}
 
 	/* Split host into host[:port] */
-	if ( ( uri->host[ strlen ( uri->host ) - 1 ] != ']' ) &&
-	     ( tmp = strrchr ( uri->host, ':' ) ) ) {
+	if ( ( tmp = strrchr ( uri->host, ':' ) ) &&
+	     ( uri->host[ strlen ( uri->host ) - 1 ] != ']' ) ) {
 		*(tmp++) = '\0';
 		uri->port = tmp;
 	}