Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7690:8253424d1aff
Added size check to ngx_http_alloc_large_header_buffer().
This ensures that copying won't write more than the buffer size
even if the buffer comes from hc->free and it is smaller than the large
client header buffer size in the virtual host configuration. This might
happen if size of large client header buffers is different in name-based
virtual hosts, similarly to the problem with number of buffers fixed
in 6926:e662cbf1b932.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 06 Aug 2020 05:02:22 +0300 |
| parents | 8409f9df6219 |
| children | 45764bca69b0 |
comparison
equal
deleted
inserted
replaced
| 7689:da8d758aabeb | 7690:8253424d1aff |
|---|---|
| 1645 } | 1645 } |
| 1646 | 1646 |
| 1647 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | 1647 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
| 1648 "http large header copy: %uz", r->header_in->pos - old); | 1648 "http large header copy: %uz", r->header_in->pos - old); |
| 1649 | 1649 |
| 1650 if (r->header_in->pos - old > b->end - b->start) { | |
| 1651 ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | |
| 1652 "too large header to copy"); | |
| 1653 return NGX_ERROR; | |
| 1654 } | |
| 1655 | |
| 1650 new = b->start; | 1656 new = b->start; |
| 1651 | 1657 |
| 1652 ngx_memcpy(new, old, r->header_in->pos - old); | 1658 ngx_memcpy(new, old, r->header_in->pos - old); |
| 1653 | 1659 |
| 1654 b->pos = new + (r->header_in->pos - old); | 1660 b->pos = new + (r->header_in->pos - old); |