Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 4529:1ebec1d15a25
Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 15 Mar 2012 11:27:12 +0000 |
| parents | 778ef9c3fd2d |
| children | 834049edae24 |
comparison
equal
deleted
inserted
replaced
| 4528:00ccad19c53d | 4529:1ebec1d15a25 |
|---|---|
| 1379 } | 1379 } |
| 1380 | 1380 |
| 1381 h->value.data = h->key.data + h->key.len + 1; | 1381 h->value.data = h->key.data + h->key.len + 1; |
| 1382 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; | 1382 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; |
| 1383 | 1383 |
| 1384 ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); | 1384 ngx_memcpy(h->key.data, r->header_name_start, h->key.len); |
| 1385 ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); | 1385 h->key.data[h->key.len] = '\0'; |
| 1386 ngx_memcpy(h->value.data, r->header_start, h->value.len); | |
| 1387 h->value.data[h->value.len] = '\0'; | |
| 1386 | 1388 |
| 1387 if (h->key.len == r->lowcase_index) { | 1389 if (h->key.len == r->lowcase_index) { |
| 1388 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); | 1390 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); |
| 1389 | 1391 |
| 1390 } else { | 1392 } else { |