Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 9188:b05c622715fa
HTTP: uniform checks in ngx_http_alloc_large_header_buffer().
If URI is not fully parsed yet, some pointers are not set. As a result,
the calculation of "new + (ptr - old)" expression is flawed.
According to C11, 6.5.6 Additive operators, p.9:
: When two pointers are subtracted, both shall point to elements
: of the same array object, or one past the last element of the
: array object
Since "ptr" is not set, subtraction leads to undefined behaviour, because
"ptr" and "old" are not in the same buffer (i.e. array objects).
Prodded by GCC undefined behaviour sanitizer.
author | Vladimir Khomutov <vl@wbsrv.ru> |
---|---|
date | Wed, 29 Nov 2023 11:13:05 +0300 |
parents | dacad3a9c7b8 |
children | 0de20f43db25 |
comparison
equal
deleted
inserted
replaced
9187:dacad3a9c7b8 | 9188:b05c622715fa |
---|---|
1716 | 1716 |
1717 if (r->request_end) { | 1717 if (r->request_end) { |
1718 r->request_end = new + (r->request_end - old); | 1718 r->request_end = new + (r->request_end - old); |
1719 } | 1719 } |
1720 | 1720 |
1721 r->method_end = new + (r->method_end - old); | 1721 if (r->method_end) { |
1722 | 1722 r->method_end = new + (r->method_end - old); |
1723 r->uri_start = new + (r->uri_start - old); | 1723 } |
1724 r->uri_end = new + (r->uri_end - old); | 1724 |
1725 if (r->uri_start) { | |
1726 r->uri_start = new + (r->uri_start - old); | |
1727 } | |
1728 | |
1729 if (r->uri_end) { | |
1730 r->uri_end = new + (r->uri_end - old); | |
1731 } | |
1725 | 1732 |
1726 if (r->schema_start) { | 1733 if (r->schema_start) { |
1727 r->schema_start = new + (r->schema_start - old); | 1734 r->schema_start = new + (r->schema_start - old); |
1728 r->schema_end = new + (r->schema_end - old); | 1735 if (r->schema_end) { |
1736 r->schema_end = new + (r->schema_end - old); | |
1737 } | |
1729 } | 1738 } |
1730 | 1739 |
1731 if (r->host_start) { | 1740 if (r->host_start) { |
1732 r->host_start = new + (r->host_start - old); | 1741 r->host_start = new + (r->host_start - old); |
1733 if (r->host_end) { | 1742 if (r->host_end) { |
1747 r->http_protocol.data = new + (r->http_protocol.data - old); | 1756 r->http_protocol.data = new + (r->http_protocol.data - old); |
1748 } | 1757 } |
1749 | 1758 |
1750 } else { | 1759 } else { |
1751 r->header_name_start = new; | 1760 r->header_name_start = new; |
1752 r->header_name_end = new + (r->header_name_end - old); | 1761 |
1753 r->header_start = new + (r->header_start - old); | 1762 if (r->header_name_end) { |
1754 r->header_end = new + (r->header_end - old); | 1763 r->header_name_end = new + (r->header_name_end - old); |
1764 } | |
1765 | |
1766 if (r->header_start) { | |
1767 r->header_start = new + (r->header_start - old); | |
1768 } | |
1769 | |
1770 if (r->header_end) { | |
1771 r->header_end = new + (r->header_end - old); | |
1772 } | |
1755 } | 1773 } |
1756 | 1774 |
1757 r->header_in = b; | 1775 r->header_in = b; |
1758 | 1776 |
1759 return NGX_OK; | 1777 return NGX_OK; |