Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 6409:71edd9192f24
Fixed buffer over-read while logging invalid request headers.
Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return
NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character. In this
case the r->header_end pointer isn't properly initialized, but the log message
in ngx_http_process_request_headers() hasn't been adjusted. It used the pointer
in size calculation, which might result in up to 2k buffer over-read.
Found with afl-fuzz.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Wed, 24 Feb 2016 16:01:23 +0300 |
parents | a6902a941279 |
children | 4ba91a4c66a3 |
comparison
equal
deleted
inserted
replaced
6408:cfc3cfa434ec | 6409:71edd9192f24 |
---|---|
1349 /* a header line parsing is still not complete */ | 1349 /* a header line parsing is still not complete */ |
1350 | 1350 |
1351 continue; | 1351 continue; |
1352 } | 1352 } |
1353 | 1353 |
1354 /* rc == NGX_HTTP_PARSE_INVALID_HEADER: "\r" is not followed by "\n" */ | 1354 /* rc == NGX_HTTP_PARSE_INVALID_HEADER */ |
1355 | 1355 |
1356 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 1356 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
1357 "client sent invalid header line: \"%*s\\r...\"", | 1357 "client sent invalid header line"); |
1358 r->header_end - r->header_name_start, | 1358 |
1359 r->header_name_start); | |
1360 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); | 1359 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); |
1361 return; | 1360 return; |
1362 } | 1361 } |
1363 } | 1362 } |
1364 | 1363 |