changeset 390:d4f0d6c19c8d NGINX_0_6_39

nginx 0.6.39 *) Security: a segmentation fault might occur in worker process while specially crafted request handling. Thanks to Chris Ries. *) Bugfix: a segmentation fault might occur in worker process, if error_log was set to info or debug level. Thanks to Sergey Bochenkov.
author Igor Sysoev <http://sysoev.ru>
date Mon, 14 Sep 2009 00:00:00 +0400
parents 9688a938d4c0
children 5c66038bb792
files CHANGES CHANGES.ru src/core/nginx.h src/http/modules/perl/nginx.pm src/http/ngx_http_parse.c
diffstat 5 files changed, 39 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+Changes with nginx 0.6.39                                        14 Sep 2009
+
+    *) Security: a segmentation fault might occur in worker process while 
+       specially crafted request handling.
+       Thanks to Chris Ries.
+
+    *) Bugfix: a segmentation fault might occur in worker process, if 
+       error_log was set to info or debug level.
+       Thanks to Sergey Bochenkov.
+
+
 Changes with nginx 0.6.38                                        22 Jun 2009
 
     *) Feature: the "keepalive_requests" directive.
@@ -1021,8 +1032,8 @@ Changes with nginx 0.5.12               
        amd64, sparc, and ppc; the bug had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
-       temporarily files were used while working with FastCGI server; the 
-       bug had appeared in 0.5.8.
+       temporary files were used while working with FastCGI server; the bug 
+       had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
        $fastcgi_script_name variable was logged.
@@ -1925,8 +1936,8 @@ Changes with nginx 0.3.31               
        in 0.3.18.
 
     *) Bugfix: if the HTTPS protocol was used in the "proxy_pass" directive 
-       and the request body was in temporarily file then the request was 
-       not transferred.
+       and the request body was in temporary file then the request was not 
+       transferred.
 
     *) Bugfix: perl 5.8.8 compatibility.
 
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,15 @@
 
+Изменения в nginx 0.6.39                                          14.09.2009
+
+    *) Безопасность: при обработке специально созданного запроса в рабочем 
+       процессе мог произойти segmentation fault.
+       Спасибо Chris Ries.
+
+    *) Исправление: при использовании error_log на уровне info или debug в 
+       рабочем процессе мог произойти segmentation fault.
+       Спасибо Сергею Боченкову.
+
+
 Изменения в nginx 0.6.38                                          22.06.2009
 
     *) Добавление: директива keepalive_requests.
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -8,8 +8,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version       006038
-#define NGINX_VERSION      "0.6.38"
+#define nginx_version       006039
+#define NGINX_VERSION      "0.6.39"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -47,7 +47,7 @@ our @EXPORT = qw(
     HTTP_INSUFFICIENT_STORAGE
 );
 
-our $VERSION = '0.6.38';
+our $VERSION = '0.6.39';
 
 require XSLoader;
 XSLoader::load('nginx', $VERSION);
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -738,6 +738,7 @@ ngx_http_parse_header_line(ngx_http_requ
 
         /* first char */
         case sw_start:
+            r->header_name_start = p;
             r->invalid_header = 0;
 
             switch (ch) {
@@ -750,7 +751,6 @@ ngx_http_parse_header_line(ngx_http_requ
                 goto header_done;
             default:
                 state = sw_name;
-                r->header_name_start = p;
 
                 c = lowcase[ch];
 
@@ -1123,11 +1123,15 @@ ngx_http_parse_complex_uri(ngx_http_requ
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;