Klaus Demo nginx / eb526b7
Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header(). This resulted in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information. Reported by Matthew Daley. Maxim Dounin 10 years ago
4 changed file(s) with 16 addition(s) and 10 deletion(s). Raw diff Collapse all Expand all
+4
-4
src/http/modules/ngx_http_fastcgi_module.c less more
15001500 h->lowcase_key = h->key.data + h->key.len + 1
15011501 + h->value.len + 1;
15021502
1503 ngx_cpystrn(h->key.data, r->header_name_start,
1504 h->key.len + 1);
1505 ngx_cpystrn(h->value.data, r->header_start,
1506 h->value.len + 1);
1503 ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
1504 h->key.data[h->key.len] = '\0';
1505 ngx_memcpy(h->value.data, r->header_start, h->value.len);
1506 h->value.data[h->value.len] = '\0';
15071507 }
15081508
15091509 h->hash = r->header_hash;
+4
-2
src/http/modules/ngx_http_proxy_module.c less more
13801380 h->value.data = h->key.data + h->key.len + 1;
13811381 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
13821382
1383 ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
1384 ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
1383 ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
1384 h->key.data[h->key.len] = '\0';
1385 ngx_memcpy(h->value.data, r->header_start, h->value.len);
1386 h->value.data[h->value.len] = '\0';
13851387
13861388 if (h->key.len == r->lowcase_index) {
13871389 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
+4
-2
src/http/modules/ngx_http_scgi_module.c less more
940940 h->value.data = h->key.data + h->key.len + 1;
941941 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
942942
943 ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
944 ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
943 ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
944 h->key.data[h->key.len] = '\0';
945 ngx_memcpy(h->value.data, r->header_start, h->value.len);
946 h->value.data[h->value.len] = '\0';
945947
946948 if (h->key.len == r->lowcase_index) {
947949 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
+4
-2
src/http/modules/ngx_http_uwsgi_module.c less more
980980 h->value.data = h->key.data + h->key.len + 1;
981981 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
982982
983 ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
984 ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
983 ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
984 h->key.data[h->key.len] = '\0';
985 ngx_memcpy(h->value.data, r->header_start, h->value.len);
986 h->value.data[h->value.len] = '\0';
985987
986988 if (h->key.len == r->lowcase_index) {
987989 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);