[nginx] Overflow detection in ngx_http_parse_chunked().

Maxim Dounin mdounin at mdounin.ru
Tue Apr 7 13:05:26 UTC 2015


details:   http://hg.nginx.org/nginx/rev/b5094e26e4e5
branches:  stable-1.6
changeset: 6088:b5094e26e4e5
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:27 2015 +0300
description:
Overflow detection in ngx_http_parse_chunked().

diffstat:

 src/http/ngx_http_parse.c |  12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diffs (36 lines):

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2104,6 +2104,10 @@ ngx_http_parse_chunked(ngx_http_request_
             goto invalid;
 
         case sw_chunk_size:
+            if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+                goto invalid;
+            }
+
             if (ch >= '0' && ch <= '9') {
                 ctx->size = ctx->size * 16 + (ch - '0');
                 break;
@@ -2253,6 +2257,10 @@ data:
     ctx->state = state;
     b->pos = pos;
 
+    if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+        goto invalid;
+    }
+
     switch (state) {
 
     case sw_chunk_start:
@@ -2289,10 +2297,6 @@ data:
 
     }
 
-    if (ctx->size < 0 || ctx->length < 0) {
-        goto invalid;
-    }
-
     return rc;
 
 done:



More information about the nginx-devel mailing list