Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 6543:302ff40c9bc9
Added overflow checks for version numbers (ticket #762).
Both minor and major versions are now limited to 999 maximum. In case of
r->http_minor, this limit is already implied by the code. Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 18 May 2016 16:21:32 +0300 |
| parents | e370c5fdf4c8 |
| children | b3682580c1bd |
comparison
equal
deleted
inserted
replaced
| 6542:c93e57ba301b | 6543:302ff40c9bc9 |
|---|---|
| 735 | 735 |
| 736 if (ch < '0' || ch > '9') { | 736 if (ch < '0' || ch > '9') { |
| 737 return NGX_HTTP_PARSE_INVALID_REQUEST; | 737 return NGX_HTTP_PARSE_INVALID_REQUEST; |
| 738 } | 738 } |
| 739 | 739 |
| 740 if (r->http_major > 99) { | |
| 741 return NGX_HTTP_PARSE_INVALID_REQUEST; | |
| 742 } | |
| 743 | |
| 740 r->http_major = r->http_major * 10 + ch - '0'; | 744 r->http_major = r->http_major * 10 + ch - '0'; |
| 741 break; | 745 break; |
| 742 | 746 |
| 743 /* first digit of minor HTTP version */ | 747 /* first digit of minor HTTP version */ |
| 744 case sw_first_minor_digit: | 748 case sw_first_minor_digit: |
| 765 state = sw_spaces_after_digit; | 769 state = sw_spaces_after_digit; |
| 766 break; | 770 break; |
| 767 } | 771 } |
| 768 | 772 |
| 769 if (ch < '0' || ch > '9') { | 773 if (ch < '0' || ch > '9') { |
| 774 return NGX_HTTP_PARSE_INVALID_REQUEST; | |
| 775 } | |
| 776 | |
| 777 if (r->http_minor > 99) { | |
| 770 return NGX_HTTP_PARSE_INVALID_REQUEST; | 778 return NGX_HTTP_PARSE_INVALID_REQUEST; |
| 771 } | 779 } |
| 772 | 780 |
| 773 r->http_minor = r->http_minor * 10 + ch - '0'; | 781 r->http_minor = r->http_minor * 10 + ch - '0'; |
| 774 break; | 782 break; |
| 1678 | 1686 |
| 1679 if (ch < '0' || ch > '9') { | 1687 if (ch < '0' || ch > '9') { |
| 1680 return NGX_ERROR; | 1688 return NGX_ERROR; |
| 1681 } | 1689 } |
| 1682 | 1690 |
| 1691 if (r->http_major > 99) { | |
| 1692 return NGX_ERROR; | |
| 1693 } | |
| 1694 | |
| 1683 r->http_major = r->http_major * 10 + ch - '0'; | 1695 r->http_major = r->http_major * 10 + ch - '0'; |
| 1684 break; | 1696 break; |
| 1685 | 1697 |
| 1686 /* the first digit of minor HTTP version */ | 1698 /* the first digit of minor HTTP version */ |
| 1687 case sw_first_minor_digit: | 1699 case sw_first_minor_digit: |
| 1699 state = sw_status; | 1711 state = sw_status; |
| 1700 break; | 1712 break; |
| 1701 } | 1713 } |
| 1702 | 1714 |
| 1703 if (ch < '0' || ch > '9') { | 1715 if (ch < '0' || ch > '9') { |
| 1716 return NGX_ERROR; | |
| 1717 } | |
| 1718 | |
| 1719 if (r->http_minor > 99) { | |
| 1704 return NGX_ERROR; | 1720 return NGX_ERROR; |
| 1705 } | 1721 } |
| 1706 | 1722 |
| 1707 r->http_minor = r->http_minor * 10 + ch - '0'; | 1723 r->http_minor = r->http_minor * 10 + ch - '0'; |
| 1708 break; | 1724 break; |