diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-03-15 11:41:43 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-03-15 11:41:43 +0000 |
| commit | 44eade9c1df4ef009d9fcd7721d8e4c34370ca1d (patch) | |
| tree | 8be1916c9f4d828004ce934a83d0d97207cd327a /src | |
| parent | 6dbc33f8317e2a7a9596351f48f7914b5450779b (diff) | |
| download | nginx-44eade9c1df4ef009d9fcd7721d8e4c34370ca1d.tar.gz nginx-44eade9c1df4ef009d9fcd7721d8e4c34370ca1d.tar.bz2 | |
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/modules/ngx_http_fastcgi_module.c | 8 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_proxy_module.c | 6 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_scgi_module.c | 6 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_uwsgi_module.c | 6 | ||||
| -rw-r--r-- | src/http/ngx_http_parse.c | 14 |
5 files changed, 30 insertions, 10 deletions
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index 5ae42ef62..23ef2957f 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -1446,10 +1446,10 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r) h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, - h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, - h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; } h->hash = r->header_hash; diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index 6bb30db4d..75249b749 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -1278,8 +1278,10 @@ ngx_http_proxy_process_header(ngx_http_request_t *r) h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c index 08483cd70..5fb2ac5ae 100644 --- a/src/http/modules/ngx_http_scgi_module.c +++ b/src/http/modules/ngx_http_scgi_module.c @@ -894,8 +894,10 @@ ngx_http_scgi_process_header(ngx_http_request_t *r) h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c index 367388e63..fb5ff0d78 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -947,8 +947,10 @@ ngx_http_uwsgi_process_header(ngx_http_request_t *r) h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index 61081a414..420c9275f 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -814,6 +814,10 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -876,6 +880,10 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -894,6 +902,8 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, r->header_start = p; r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: r->header_start = p; state = sw_value; @@ -915,6 +925,8 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, case LF: r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; } break; @@ -928,6 +940,8 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, break; case LF: goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: state = sw_value; break; |