nginx: src/http/modules/ngx_http_proxy

comparison src/http/modules/ngx_http_proxy_module.c @ 5676:fbfdf8017748

Proxy: fixed possible uninitialized memory access. The ngx_http_proxy_rewrite_cookie() function expects the value of the "Set-Cookie" header to be null-terminated, and for headers obtained from proxied server it is usually true. Now the ngx_http_proxy_rewrite() function preserves the null character while rewriting headers. This fixes accessing memory outside of rewritten value if both the "proxy_cookie_path" and "proxy_cookie_domain" directives are used in the same location.

author	Valentin Bartenev <vbart@nginx.com>
date	Mon, 18 Nov 2013 03:06:45 +0400
parents	060c2e692b96
children	0cbefdcf82a6

comparison

equal deleted inserted replaced

-:1710bf72243e
+:fbfdf8017748
 new_len = replacement->len + h->value.len - len;
 if (replacement->len > len) {
-data = ngx_pnalloc(r->pool, new_len);
+data = ngx_pnalloc(r->pool, new_len + 1);
 if (data == NULL) {
 return NGX_ERROR;
 }
 p = ngx_copy(data, h->value.data, prefix);
 p = ngx_copy(p, replacement->data, replacement->len);
 ngx_memcpy(p, h->value.data + prefix + len,
-h->value.len - len - prefix);
+h->value.len - len - prefix + 1);
 h->value.data = data;
 } else {
 p = ngx_copy(h->value.data + prefix, replacement->data,
 replacement->len);
 ngx_memmove(p, h->value.data + prefix + len,
-h->value.len - len - prefix);
+h->value.len - len - prefix + 1);
 }
 h->value.len = new_len;
 return NGX_OK;

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_proxy_module.c @ 5676:fbfdf8017748