Klaus Demo nginx / 1d294ee
Fixed buffer over-read while logging invalid request headers. Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character. In this case the r->header_end pointer isn't properly initialized, but the log message in ngx_http_process_request_headers() hasn't been adjusted. It used the pointer in size calculation, which might result in up to 2k buffer over-read. Found with afl-fuzz. Valentin Bartenev 6 years ago
1 changed file(s) with 3 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
13501350 continue;
13511351 }
13521352
1353 /* rc == NGX_HTTP_PARSE_INVALID_HEADER: "\r" is not followed by "\n" */
1353 /* rc == NGX_HTTP_PARSE_INVALID_HEADER */
13541354
13551355 ngx_log_error(NGX_LOG_INFO, c->log, 0,
1356 "client sent invalid header line: \"%*s\\r...\"",
1357 r->header_end - r->header_name_start,
1358 r->header_name_start);
1356 "client sent invalid header line");
1357
13591358 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
13601359 return;
13611360 }