Mercurial > hg > nginx-vendor-current
diff src/core/ngx_inet.c @ 670:ad45b044f1e5 NGINX_1_1_19
nginx 1.1.19
*) Security: specially crafted mp4 file might allow to overwrite memory
locations in a worker process if the ngx_http_mp4_module was used,
potentially resulting in arbitrary code execution (CVE-2012-2089).
Thanks to Matthew Daley.
*) Bugfix: nginx/Windows might be terminated abnormally.
Thanks to Vincent Lee.
*) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
"backup".
*) Bugfix: the "allow" and "deny" directives might be inherited
incorrectly if they were used with IPv6 addresses.
*) Bugfix: the "modern_browser" and "ancient_browser" directives might
be inherited incorrectly.
*) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC.
*) Bugfix: in the ngx_http_mp4_module.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Thu, 12 Apr 2012 00:00:00 +0400 |
parents | d0f7a625f27c |
children | bfa81a0490a2 |
line wrap: on
line diff
--- a/src/core/ngx_inet.c +++ b/src/core/ngx_inet.c @@ -44,11 +44,7 @@ ngx_inet_addr(u_char *text, size_t len) return INADDR_NONE; } - if (n != 3) { - return INADDR_NONE; - } - - if (octet < 256) { + if (n == 3 && octet < 256) { addr = (addr << 8) + octet; return htonl(addr); } @@ -407,6 +403,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t #if (NGX_HAVE_INET6) case AF_INET6: + if (shift > 128) { + return NGX_ERROR; + } + addr = cidr->u.in6.addr.s6_addr; mask = cidr->u.in6.mask.s6_addr; rc = NGX_OK; @@ -416,7 +416,7 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t s = (shift > 8) ? 8 : shift; shift -= s; - mask[i] = (u_char) (0 - (1 << (8 - s))); + mask[i] = (u_char) (0xffu << (8 - s)); if (addr[i] != (addr[i] & mask[i])) { rc = NGX_DONE; @@ -428,9 +428,12 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t #endif default: /* AF_INET */ + if (shift > 32) { + return NGX_ERROR; + } if (shift) { - cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift)))); + cidr->u.in.mask = htonl((uint32_t) (0xffffffffu << (32 - shift))); } else { /* x86 compilers use a shl instruction that shifts by modulo 32 */ @@ -459,7 +462,7 @@ ngx_parse_addr(ngx_pool_t *pool, ngx_add struct sockaddr_in6 *sin6; /* - * prevent MSVC8 waring: + * prevent MSVC8 warning: * potentially uninitialized local variable 'inaddr6' used */ ngx_memzero(inaddr6.s6_addr, sizeof(struct in6_addr));