Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 5676:fbfdf8017748
Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.
Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.
This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Mon, 18 Nov 2013 03:06:45 +0400 |
parents | 060c2e692b96 |
children | 0cbefdcf82a6 |
comparison
equal
deleted
inserted
replaced
5675:1710bf72243e | 5676:fbfdf8017748 |
---|---|
2363 | 2363 |
2364 new_len = replacement->len + h->value.len - len; | 2364 new_len = replacement->len + h->value.len - len; |
2365 | 2365 |
2366 if (replacement->len > len) { | 2366 if (replacement->len > len) { |
2367 | 2367 |
2368 data = ngx_pnalloc(r->pool, new_len); | 2368 data = ngx_pnalloc(r->pool, new_len + 1); |
2369 if (data == NULL) { | 2369 if (data == NULL) { |
2370 return NGX_ERROR; | 2370 return NGX_ERROR; |
2371 } | 2371 } |
2372 | 2372 |
2373 p = ngx_copy(data, h->value.data, prefix); | 2373 p = ngx_copy(data, h->value.data, prefix); |
2374 p = ngx_copy(p, replacement->data, replacement->len); | 2374 p = ngx_copy(p, replacement->data, replacement->len); |
2375 | 2375 |
2376 ngx_memcpy(p, h->value.data + prefix + len, | 2376 ngx_memcpy(p, h->value.data + prefix + len, |
2377 h->value.len - len - prefix); | 2377 h->value.len - len - prefix + 1); |
2378 | 2378 |
2379 h->value.data = data; | 2379 h->value.data = data; |
2380 | 2380 |
2381 } else { | 2381 } else { |
2382 p = ngx_copy(h->value.data + prefix, replacement->data, | 2382 p = ngx_copy(h->value.data + prefix, replacement->data, |
2383 replacement->len); | 2383 replacement->len); |
2384 | 2384 |
2385 ngx_memmove(p, h->value.data + prefix + len, | 2385 ngx_memmove(p, h->value.data + prefix + len, |
2386 h->value.len - len - prefix); | 2386 h->value.len - len - prefix + 1); |
2387 } | 2387 } |
2388 | 2388 |
2389 h->value.len = new_len; | 2389 h->value.len = new_len; |
2390 | 2390 |
2391 return NGX_OK; | 2391 return NGX_OK; |