Mercurial > hg > nginx-quic
changeset 5676:fbfdf8017748
Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.
Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.
This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Mon, 18 Nov 2013 03:06:45 +0400 |
parents | 1710bf72243e |
children | 3a48775f1535 |
files | src/http/modules/ngx_http_proxy_module.c |
diffstat | 1 files changed, 3 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_ if (replacement->len > len) { - data = ngx_pnalloc(r->pool, new_len); + data = ngx_pnalloc(r->pool, new_len + 1); if (data == NULL) { return NGX_ERROR; } @@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_ p = ngx_copy(p, replacement->data, replacement->len); ngx_memcpy(p, h->value.data + prefix + len, - h->value.len - len - prefix); + h->value.len - len - prefix + 1); h->value.data = data; @@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_ replacement->len); ngx_memmove(p, h->value.data + prefix + len, - h->value.len - len - prefix); + h->value.len - len - prefix + 1); } h->value.len = new_len;