Opened 8 years ago
Closed 7 years ago
#762 closed defect (fixed)
procol version integer overflow, downgrade to 0.9
|Reported by:||openid.stackexchange.com/user/9a01f091-0d6d-4e99-8f37-dcf99897dd7c||Owned by:|
nginx version: nginx/1.9.0
built by gcc 4.9.2 (Debian 4.9.2-10)
Nginx currently supports the old RFC with :
HTTP / *DIGIT . *DIGIT
But when extracting the major and minor version there's an int16 overflow which means that currently "HTTP/65536.9" or "HTTP/65536.8" can be used and will be detected as HTTP/0.9.
This can be used to generate headless responses from Nginx (like a regular 0.9 query) while using something which does not look like a 0.9 query.
They're two ways of fixing it:
- use the attached patch to prevent int16 overflow
- remove the multi-digit part in the automaton parser (as the new rfc 7230 allows only one digit for major and 1 for minor)
Note that this patch is a poc on
ngx_http_parse.c which may need to be applied on other places like
ngx_http_spdy.c where the same issue can also be present.
Change History (4)
by , 8 years ago
comment:1 by , 7 years ago
|Status:||new → accepted|
comment:2 by , 7 years ago
comment:3 by , 7 years ago
|Status:||accepted → closed|
Note: See TracTickets for help on using tickets.
The restriction in the suggested patch can be easily bypassed: the patch stores number of digits parsed on stack, while the ngx_http_parse_request_line() function can be called multiple times.
Slightly better patch below.