Mercurial > hg > nginx-vendor-current

diff src/core/ngx_inet.c @ 670:ad45b044f1e5 NGINX_1_1_19

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.1.19 *) Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley. *) Bugfix: nginx/Windows might be terminated abnormally. Thanks to Vincent Lee. *) Bugfix: nginx hogged CPU if all servers in an upstream were marked as "backup". *) Bugfix: the "allow" and "deny" directives might be inherited incorrectly if they were used with IPv6 addresses. *) Bugfix: the "modern_browser" and "ancient_browser" directives might be inherited incorrectly. *) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC. *) Bugfix: in the ngx_http_mp4_module.
author Igor Sysoev <http://sysoev.ru>
date Thu, 12 Apr 2012 00:00:00 +0400
parents d0f7a625f27c
children bfa81a0490a2
line wrap: on
line diff
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -44,11 +44,7 @@ ngx_inet_addr(u_char *text, size_t len)
         return INADDR_NONE;
     }
 
-    if (n != 3) {
-        return INADDR_NONE;
-    }
-
-    if (octet < 256) {
+    if (n == 3 && octet < 256) {
         addr = (addr << 8) + octet;
         return htonl(addr);
     }
@@ -407,6 +403,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t 
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
+        if (shift > 128) {
+            return NGX_ERROR;
+        }
+
         addr = cidr->u.in6.addr.s6_addr;
         mask = cidr->u.in6.mask.s6_addr;
         rc = NGX_OK;
@@ -416,7 +416,7 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t 
             s = (shift > 8) ? 8 : shift;
             shift -= s;
 
-            mask[i] = (u_char) (0 - (1 << (8 - s)));
+            mask[i] = (u_char) (0xffu << (8 - s));
 
             if (addr[i] != (addr[i] & mask[i])) {
                 rc = NGX_DONE;
@@ -428,9 +428,12 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t 
 #endif
 
     default: /* AF_INET */
+        if (shift > 32) {
+            return NGX_ERROR;
+        }
 
         if (shift) {
-            cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift))));
+            cidr->u.in.mask = htonl((uint32_t) (0xffffffffu << (32 - shift)));
 
         } else {
             /* x86 compilers use a shl instruction that shifts by modulo 32 */
@@ -459,7 +462,7 @@ ngx_parse_addr(ngx_pool_t *pool, ngx_add
     struct sockaddr_in6  *sin6;
 
     /*
-     * prevent MSVC8 waring:
+     * prevent MSVC8 warning:
      *    potentially uninitialized local variable 'inaddr6' used
      */
     ngx_memzero(inaddr6.s6_addr, sizeof(struct in6_addr));