Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Maxim Dounin mdounin at
Tue Oct 7 18:57:44 UTC 2014


On Tue, Oct 07, 2014 at 06:10:04PM +0000, Bondarev, Daniil wrote:

> Yep, I've thought about this, but prefer not to modify buffer at all, since it feels more error-prone.
> F.E: SB might decide to change number of dots, or reuse last header from this buffer, etc.

Changing the number of dots is highly unlikely and it will be hard 
to do it incorrectly, as the "3" in the patch directly corresponds 
to the number.  Reuse of the header is highly unlikely too, as it 
is the fatal error and the header is known to be incomplete.

> Do you feel strongly against printing "..."  just at log line?

Resulting code is way longer than it should be, so I would rather 
prefer simplier variant.

On the other hand, looking into this more closely, I tend to think 
that ellipsis should be always added to make it clear that the 
header logged is incomplete.

Here is a patch:

--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1227,12 +1227,11 @@ ngx_http_process_request_headers(ngx_eve
                     if (len > NGX_MAX_ERROR_STR - 300) {
                         len = NGX_MAX_ERROR_STR - 300;
-                        p[len++] = '.'; p[len++] = '.'; p[len++] = '.';
                     ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                                  "client sent too long header line: \"%*s\"",
-                                  len, r->header_name_start);
+                                "client sent too long header line: \"%*s...\"",
+                                len, r->header_name_start);

Maxim Dounin

More information about the nginx-devel mailing list