Mercurial > hg > nginx

diff src/http/modules/ngx_http_uwsgi_module.c @ 4529:1ebec1d15a25

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header(). This resulted in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information. Reported by Matthew Daley.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 15 Mar 2012 11:27:12 +0000
parents 9c3a2fc3c460
children 834049edae24
line wrap: on
line diff
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -981,8 +981,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
             h->value.data = h->key.data + h->key.len + 1;
             h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
 
-            ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
-            ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+            h->key.data[h->key.len] = '\0';
+            ngx_memcpy(h->value.data, r->header_start, h->value.len);
+            h->value.data[h->value.len] = '\0';
 
             if (h->key.len == r->lowcase_index) {
                 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);