Mercurial > hg > nginx
comparison src/core/ngx_inet.c @ 6463:5df5d7d771f6
Core: allow strings without null-termination in ngx_parse_url().
This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.
Found with MemorySanitizer.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
| author | Piotr Sikora <piotrsikora@google.com> |
|---|---|
| date | Fri, 26 Feb 2016 17:30:27 -0800 |
| parents | bc47a7a8159c |
| children | 2cd019520210 |
comparison
equal
deleted
inserted
replaced
| 6462:fd4b52e74f96 | 6463:5df5d7d771f6 |
|---|---|
| 527 | 527 |
| 528 ngx_int_t | 528 ngx_int_t |
| 529 ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u) | 529 ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u) |
| 530 { | 530 { |
| 531 u_char *p; | 531 u_char *p; |
| 532 size_t len; | |
| 532 | 533 |
| 533 p = u->url.data; | 534 p = u->url.data; |
| 534 | 535 len = u->url.len; |
| 535 if (ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) { | 536 |
| 537 if (len >= 5 && ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) { | |
| 536 return ngx_parse_unix_domain_url(pool, u); | 538 return ngx_parse_unix_domain_url(pool, u); |
| 537 } | 539 } |
| 538 | 540 |
| 539 if (p[0] == '[') { | 541 if (len && p[0] == '[') { |
| 540 return ngx_parse_inet6_url(pool, u); | 542 return ngx_parse_inet6_url(pool, u); |
| 541 } | 543 } |
| 542 | 544 |
| 543 return ngx_parse_inet_url(pool, u); | 545 return ngx_parse_inet_url(pool, u); |
| 544 } | 546 } |