mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-09 19:12:47 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Core: allow strings without null-termination in ngx_parse_url().

Browse Source 
This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This commit is contained in:
Piotr Sikora 2016-02-26 17:30:27 -08:00
parent 030a1f959c
commit c3aed0a233
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/core/ngx_inet.c
View File

@ -529,14 +529,16 @@ ngx_int_t
ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u) ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u)
{ {
u_char *p; u_char *p;
size_t len;
p = u->url.data; p = u->url.data;
len = u->url.len;
if (ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) { if (len >= 5 && ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) {
return ngx_parse_unix_domain_url(pool, u); return ngx_parse_unix_domain_url(pool, u);
} }
if (p[0] == '[') { if (len && p[0] == '[') {
return ngx_parse_inet6_url(pool, u); return ngx_parse_inet6_url(pool, u);
} }