procol version integer overflow, downgrade to 0.9
|Reported by:||openid.stackexchange.com/user/9a01f091-0d6d-4e99-8f37-dcf99897dd7c||Owned by:|
nginx version: nginx/1.9.0
built by gcc 4.9.2 (Debian 4.9.2-10)
Nginx currently supports the old RFC with :
HTTP / *DIGIT . *DIGIT
But when extracting the major and minor version there's an int16 overflow which means that currently "HTTP/65536.9" or "HTTP/65536.8" can be used and will be detected as HTTP/0.9.
This can be used to generate headless responses from Nginx (like a regular 0.9 query) while using something which does not look like a 0.9 query.
They're two ways of fixing it:
- use the attached patch to prevent int16 overflow
- remove the multi-digit part in the automaton parser (as the new rfc 7230 allows only one digit for major and 1 for minor)
Note that this patch is a poc on
ngx_http_parse.c which may need to be applied on other places like
ngx_http_spdy.c where the same issue can also be present.