mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-02 20:09:01 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Core: overflow detection in number parsing functions.

Browse Source
This commit is contained in:
Ruslan Ermilov 2015-03-17 00:26:15 +03:00
parent 309928b941
commit 8167ce8537
2 changed files with 72 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/core/ngx_parse.c
View File

@ -12,10 +12,9 @@
ssize_t ssize_t
ngx_parse_size(ngx_str_t *line) ngx_parse_size(ngx_str_t *line)
{ {
u_char unit; u_char unit;
size_t len; size_t len;
ssize_t size; ssize_t size, scale, max;
ngx_int_t scale;
len = line->len; len = line->len;
unit = line->data[len - 1]; unit = line->data[len - 1];
@ -24,21 +23,24 @@ ngx_parse_size(ngx_str_t *line)
case 'K': case 'K':
case 'k': case 'k':
len--; len--;
max = NGX_MAX_SIZE_T_VALUE / 1024;
scale = 1024; scale = 1024;
break; break;
case 'M': case 'M':
case 'm': case 'm':
len--; len--;
max = NGX_MAX_SIZE_T_VALUE / (1024 * 1024);
scale = 1024 * 1024; scale = 1024 * 1024;
break; break;
default: default:
max = NGX_MAX_SIZE_T_VALUE;
scale = 1; scale = 1;
} }
size = ngx_atosz(line->data, len); size = ngx_atosz(line->data, len);
if (size == NGX_ERROR) { if (size == NGX_ERROR || size > max) {
return NGX_ERROR; return NGX_ERROR;
} }
@ -51,10 +53,9 @@ ngx_parse_size(ngx_str_t *line)
off_t off_t
ngx_parse_offset(ngx_str_t *line) ngx_parse_offset(ngx_str_t *line)
{ {
u_char unit; u_char unit;
off_t offset; off_t offset, scale, max;
size_t len; size_t len;
ngx_int_t scale;
len = line->len; len = line->len;
unit = line->data[len - 1]; unit = line->data[len - 1];
@ -63,27 +64,31 @@ ngx_parse_offset(ngx_str_t *line)
case 'K': case 'K':
case 'k': case 'k':
len--; len--;
max = NGX_MAX_OFF_T_VALUE / 1024;
scale = 1024; scale = 1024;
break; break;
case 'M': case 'M':
case 'm': case 'm':
len--; len--;
max = NGX_MAX_OFF_T_VALUE / (1024 * 1024);
scale = 1024 * 1024; scale = 1024 * 1024;
break; break;
case 'G': case 'G':
case 'g': case 'g':
len--; len--;
max = NGX_MAX_OFF_T_VALUE / (1024 * 1024 * 1024);
scale = 1024 * 1024 * 1024; scale = 1024 * 1024 * 1024;
break; break;
default: default:
max = NGX_MAX_OFF_T_VALUE;
scale = 1; scale = 1;
} }
offset = ngx_atoof(line->data, len); offset = ngx_atoof(line->data, len);
if (offset == NGX_ERROR) { if (offset == NGX_ERROR || offset > max) {
return NGX_ERROR; return NGX_ERROR;
} }

99
src/core/ngx_string.c
View File

@ -901,26 +901,28 @@ ngx_filename_cmp(u_char *s1, u_char *s2, size_t n)
ngx_int_t ngx_int_t
ngx_atoi(u_char *line, size_t n) ngx_atoi(u_char *line, size_t n)
{ {
ngx_int_t value; ngx_int_t value, cutoff, cutlim;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_INT_T_VALUE / 10;
cutlim = NGX_MAX_INT_T_VALUE % 10;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') { if (*line < '0' || *line > '9') {
return NGX_ERROR; return NGX_ERROR;
} }
if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
return NGX_ERROR;
}
value = value * 10 + (*line - '0'); value = value * 10 + (*line - '0');
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }
@ -929,13 +931,16 @@ ngx_atoi(u_char *line, size_t n)
ngx_int_t ngx_int_t
ngx_atofp(u_char *line, size_t n, size_t point) ngx_atofp(u_char *line, size_t n, size_t point)
{ {
ngx_int_t value; ngx_int_t value, cutoff, cutlim;
ngx_uint_t dot; ngx_uint_t dot;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_INT_T_VALUE / 10;
cutlim = NGX_MAX_INT_T_VALUE % 10;
dot = 0; dot = 0;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
@ -957,98 +962,107 @@ ngx_atofp(u_char *line, size_t n, size_t point)
return NGX_ERROR; return NGX_ERROR;
} }
if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
return NGX_ERROR;
}
value = value * 10 + (*line - '0'); value = value * 10 + (*line - '0');
point -= dot; point -= dot;
} }
while (point--) { while (point--) {
if (value > cutoff) {
return NGX_ERROR;
}
value = value * 10; value = value * 10;
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }
ssize_t ssize_t
ngx_atosz(u_char *line, size_t n) ngx_atosz(u_char *line, size_t n)
{ {
ssize_t value; ssize_t value, cutoff, cutlim;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_SIZE_T_VALUE / 10;
cutlim = NGX_MAX_SIZE_T_VALUE % 10;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') { if (*line < '0' || *line > '9') {
return NGX_ERROR; return NGX_ERROR;
} }
if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
return NGX_ERROR;
}
value = value * 10 + (*line - '0'); value = value * 10 + (*line - '0');
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }
off_t off_t
ngx_atoof(u_char *line, size_t n) ngx_atoof(u_char *line, size_t n)
{ {
off_t value; off_t value, cutoff, cutlim;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_OFF_T_VALUE / 10;
cutlim = NGX_MAX_OFF_T_VALUE % 10;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') { if (*line < '0' || *line > '9') {
return NGX_ERROR; return NGX_ERROR;
} }
if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
return NGX_ERROR;
}
value = value * 10 + (*line - '0'); value = value * 10 + (*line - '0');
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }
time_t time_t
ngx_atotm(u_char *line, size_t n) ngx_atotm(u_char *line, size_t n)
{ {
time_t value; time_t value, cutoff, cutlim;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_TIME_T_VALUE / 10;
cutlim = NGX_MAX_TIME_T_VALUE % 10;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') { if (*line < '0' || *line > '9') {
return NGX_ERROR; return NGX_ERROR;
} }
if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
return NGX_ERROR;
}
value = value * 10 + (*line - '0'); value = value * 10 + (*line - '0');
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }
@ -1056,13 +1070,19 @@ ngx_int_t
ngx_hextoi(u_char *line, size_t n) ngx_hextoi(u_char *line, size_t n)
{ {
u_char c, ch; u_char c, ch;
ngx_int_t value; ngx_int_t value, cutoff;
if (n == 0) { if (n == 0) {
return NGX_ERROR; return NGX_ERROR;
} }
cutoff = NGX_MAX_INT_T_VALUE / 16;
for (value = 0; n--; line++) { for (value = 0; n--; line++) {
if (value > cutoff) {
return NGX_ERROR;
}
ch = *line; ch = *line;
if (ch >= '0' && ch <= '9') { if (ch >= '0' && ch <= '9') {
@ -1080,12 +1100,7 @@ ngx_hextoi(u_char *line, size_t n)
return NGX_ERROR; return NGX_ERROR;
} }
if (value < 0) { return value;
return NGX_ERROR;
} else {
return value;
}
} }