Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#893 closed defect (fixed)

Possible buffer overrun

Reported by: barlone@… Owned by:
Priority: minor Milestone: 1.9
Component: nginx-module Version: 1.9.x
Keywords: Cc:
uname -a:
nginx -V: 1.9.10

Description

Piece of code in file 'ngx_http_v2_filter_module.c', function ngx_http_v2_header_filter:

 len += 1 + clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
                                : ngx_http_v2_literal_size("nginx");

Here is calculating the length of the memory block that is allocated and filled in later. 1 not added, one byte out of allocated buffer access possible.

Expected behavior: add 1, then add size of one of two litetals.
Actual behavior: due to operator pecedence ('+' has greater priority than ternary condition), always add only size of first literal.

Change History (4)

comment:1 by Valentin V. Bartenev, 5 years ago

Status: newaccepted

Nice catch, thanks.

comment:2 by Valentin Bartenev <vbart@…>, 5 years ago

In 6377:11e019750adc/nginx:

HTTP/2: fixed possible buffer overrun (ticket #893).

Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected. That might result in one byte less
allocation than needed for the HEADERS frame buffer.

comment:3 by Valentin V. Bartenev, 5 years ago

Resolution: fixed
Status: acceptedclosed

comment:4 by Maxim Dounin, 4 years ago

sensitive: 10
Note: See TracTickets for help on using tickets.