Mercurial > hg > nginx

changeset 5676:fbfdf8017748

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Proxy: fixed possible uninitialized memory access. The ngx_http_proxy_rewrite_cookie() function expects the value of the "Set-Cookie" header to be null-terminated, and for headers obtained from proxied server it is usually true. Now the ngx_http_proxy_rewrite() function preserves the null character while rewriting headers. This fixes accessing memory outside of rewritten value if both the "proxy_cookie_path" and "proxy_cookie_domain" directives are used in the same location.
author Valentin Bartenev <vbart@nginx.com>
date Mon, 18 Nov 2013 03:06:45 +0400
parents 1710bf72243e
children 3a48775f1535
files src/http/modules/ngx_http_proxy_module.c
diffstat 1 files changed, 3 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_
 
     if (replacement->len > len) {
 
-        data = ngx_pnalloc(r->pool, new_len);
+        data = ngx_pnalloc(r->pool, new_len + 1);
         if (data == NULL) {
             return NGX_ERROR;
         }
@@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_
         p = ngx_copy(p, replacement->data, replacement->len);
 
         ngx_memcpy(p, h->value.data + prefix + len,
-                   h->value.len - len - prefix);
+                   h->value.len - len - prefix + 1);
 
         h->value.data = data;
 
@@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_
                      replacement->len);
 
         ngx_memmove(p, h->value.data + prefix + len,
-                    h->value.len - len - prefix);
+                    h->value.len - len - prefix + 1);
     }
 
     h->value.len = new_len;