Changeset 4529:1ebec1d15a25 in nginx


Ignore:
Timestamp:
03/15/12 11:27:12 (8 years ago)
Author:
Maxim Dounin <mdounin@…>
Branch:
default
Phase:
public
Convert:
svn:c3fe7df1-7212-e011-8a91-001109144009/trunk@4530
Message:

Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().

This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.

Location:
src/http/modules
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • src/http/modules/ngx_http_fastcgi_module.c

    r4522 r4529  
    15021502                                     + h->value.len + 1;
    15031503
    1504                     ngx_cpystrn(h->key.data, r->header_name_start,
    1505                                 h->key.len + 1);
    1506                     ngx_cpystrn(h->value.data, r->header_start,
    1507                                 h->value.len + 1);
     1504                    ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     1505                    h->key.data[h->key.len] = '\0';
     1506                    ngx_memcpy(h->value.data, r->header_start, h->value.len);
     1507                    h->value.data[h->value.len] = '\0';
    15081508                }
    15091509
  • src/http/modules/ngx_http_proxy_module.c

    r4499 r4529  
    13821382            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    13831383
    1384             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    1385             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     1384            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     1385            h->key.data[h->key.len] = '\0';
     1386            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     1387            h->value.data[h->value.len] = '\0';
    13861388
    13871389            if (h->key.len == r->lowcase_index) {
  • src/http/modules/ngx_http_scgi_module.c

    r4522 r4529  
    942942            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    943943
    944             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    945             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     944            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     945            h->key.data[h->key.len] = '\0';
     946            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     947            h->value.data[h->value.len] = '\0';
    946948
    947949            if (h->key.len == r->lowcase_index) {
  • src/http/modules/ngx_http_uwsgi_module.c

    r4527 r4529  
    982982            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    983983
    984             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    985             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     984            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     985            h->key.data[h->key.len] = '\0';
     986            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     987            h->value.data[h->value.len] = '\0';
    986988
    987989            if (h->key.len == r->lowcase_index) {
Note: See TracChangeset for help on using the changeset viewer.