From ad42d70fed67c1e7098055fb25721ab904db2389 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Thu, 18 Jul 2019 18:27:53 +0300 Subject: SSI: avoid potential buffer overflow. When "-" follows a parameter of maximum length, a single byte buffer overflow happens, since the error branch does not check parameter length. Fix is to avoid saving "-" to the parameter key, and instead use an error message with "-" explicitly written. The message is mostly identical to one used in similar cases in the preequal state. Reported by Patrick Wollgast. --- src/http/modules/ngx_http_ssi_filter_module.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/http/modules') diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c index d608df9df..6737965d1 100644 --- a/src/http/modules/ngx_http_ssi_filter_module.c +++ b/src/http/modules/ngx_http_ssi_filter_module.c @@ -1254,9 +1254,9 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx) case '-': state = ssi_error_end0_state; - ctx->param->key.data[ctx->param->key.len++] = ch; ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "invalid \"%V\" parameter in \"%V\" SSI command", + "unexpected \"-\" symbol after \"%V\" " + "parameter in \"%V\" SSI command", &ctx->param->key, &ctx->command); break; -- cgit