mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 21:52:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

SSI: avoid potential buffer overflow.

Browse Source 
When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.
This commit is contained in:
Maxim Dounin 2019-07-18 18:27:53 +03:00
parent 20c8c4fe35
commit ad42d70fed
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/http/modules/ngx_http_ssi_filter_module.c
View File

@ -1254,9 +1254,9 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx)
case '-': case '-':
state = ssi_error_end0_state; state = ssi_error_end0_state;
ctx->param->key.data[ctx->param->key.len++] = ch;
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"invalid \"%V\" parameter in \"%V\" SSI command", "unexpected \"-\" symbol after \"%V\" "
"parameter in \"%V\" SSI command",
&ctx->param->key, &ctx->command); &ctx->param->key, &ctx->command);
break; break;