mirror of
https://github.com/nginx/nginx.git
synced 2024-12-04 05:38:59 +08:00
Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the "Set-Cookie" header to be null-terminated, and for headers obtained from proxied server it is usually true. Now the ngx_http_proxy_rewrite() function preserves the null character while rewriting headers. This fixes accessing memory outside of rewritten value if both the "proxy_cookie_path" and "proxy_cookie_domain" directives are used in the same location.
This commit is contained in:
parent
58e26b88b7
commit
b53306815e
@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
|
|||||||
|
|
||||||
if (replacement->len > len) {
|
if (replacement->len > len) {
|
||||||
|
|
||||||
data = ngx_pnalloc(r->pool, new_len);
|
data = ngx_pnalloc(r->pool, new_len + 1);
|
||||||
if (data == NULL) {
|
if (data == NULL) {
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
|
|||||||
p = ngx_copy(p, replacement->data, replacement->len);
|
p = ngx_copy(p, replacement->data, replacement->len);
|
||||||
|
|
||||||
ngx_memcpy(p, h->value.data + prefix + len,
|
ngx_memcpy(p, h->value.data + prefix + len,
|
||||||
h->value.len - len - prefix);
|
h->value.len - len - prefix + 1);
|
||||||
|
|
||||||
h->value.data = data;
|
h->value.data = data;
|
||||||
|
|
||||||
@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
|
|||||||
replacement->len);
|
replacement->len);
|
||||||
|
|
||||||
ngx_memmove(p, h->value.data + prefix + len,
|
ngx_memmove(p, h->value.data + prefix + len,
|
||||||
h->value.len - len - prefix);
|
h->value.len - len - prefix + 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
h->value.len = new_len;
|
h->value.len = new_len;
|
||||||
|
Loading…
Reference in New Issue
Block a user