mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-04 22:09:01 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Proxy: fixed possible uninitialized memory access.

Browse Source 
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
This commit is contained in:
Valentin Bartenev 2013-11-18 03:06:45 +04:00
parent 58e26b88b7
commit b53306815e
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/http/modules/ngx_http_proxy_module.c
View File

@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
if (replacement->len > len) { if (replacement->len > len) {
data = ngx_pnalloc(r->pool, new_len); data = ngx_pnalloc(r->pool, new_len + 1);
if (data == NULL) { if (data == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }
@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
p = ngx_copy(p, replacement->data, replacement->len); p = ngx_copy(p, replacement->data, replacement->len);
ngx_memcpy(p, h->value.data + prefix + len, ngx_memcpy(p, h->value.data + prefix + len,
h->value.len - len - prefix); h->value.len - len - prefix + 1);
h->value.data = data; h->value.data = data;
@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
replacement->len); replacement->len);
ngx_memmove(p, h->value.data + prefix + len, ngx_memmove(p, h->value.data + prefix + len,
h->value.len - len - prefix); h->value.len - len - prefix + 1);
} }
h->value.len = new_len; h->value.len = new_len;