mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-11-27 23:49:00 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SPDY: fixed corruption of headers with names longer than 255.

Browse Source 
It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.
This commit is contained in:
Valentin Bartenev 2013-08-15 19:14:58 +04:00
parent ef76fbebd6
commit 3be925b6e3
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/http/ngx_http_spdy.c
View File

@ -809,6 +809,8 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos,
sc->zstream_in.next_in = pos;
sc->zstream_in.avail_in = size;
sc->zstream_in.next_out = buf->last;
/* one byte is reserved for null-termination of the last header value */
sc->zstream_in.avail_out = buf->end - buf->last - 1;
z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@ -912,9 +914,14 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos,
return ngx_http_spdy_state_headers_error(sc, pos, end);
}
/* null-terminate the last processed header name or value */
*buf->pos = '\0';
buf = r->header_in;
sc->zstream_in.next_out = buf->last;
/* one byte is reserved for null-termination */
sc->zstream_in.avail_out = buf->end - buf->last - 1;
z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@ -996,6 +1003,9 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos,
ngx_http_spdy_state_headers);
}
/* null-terminate the last header value */
*buf->pos = '\0';
ngx_http_spdy_run_request(r);
return ngx_http_spdy_state_complete(sc, pos, end);
@ -1936,6 +1946,9 @@ ngx_http_spdy_parse_header(ngx_http_request_t *r)
return NGX_HTTP_PARSE_INVALID_HEADER;
}
/* null-terminate the previous header value */
*p = '\0';
p += NGX_SPDY_NV_NLEN_SIZE;
r->header_name_end = p + len;
@ -2005,6 +2018,9 @@ ngx_http_spdy_parse_header(ngx_http_request_t *r)
return NGX_ERROR;
}
/* null-terminate header name */
*p = '\0';
p += NGX_SPDY_NV_VLEN_SIZE;
r->header_end = p + len;
@ -2163,11 +2179,9 @@ ngx_http_spdy_handle_request_header(ngx_http_request_t *r)
h->key.len = r->lowcase_index;
h->key.data = r->header_name_start;
h->key.data[h->key.len] = '\0';
h->value.len = r->header_size;
h->value.data = r->header_start;
h->value.data[h->value.len] = '\0';
h->lowcase_key = h->key.data;