src/http/modules/ngx_http_proxy_module.c:645 in ngx_http_proxy_eval<div><br></div><div>For some service the proxy url is specified by user from arguments. after</div><div>ngx_http_script_run, proxy.len may be smaller than "http://" without the </div>
<div>terminating '\0'. For example, {len = 4, data = "<a href="http://abcdefg">http://abcdefg</a>"}. It passes the</div><div>schema check, but url.url.len = proxy.len - 7 becomes a very big number.</div>
<div>the process will core during later memcpy.</div><div><br></div><div>simple fix:</div><div><br></div><div><div>diff -ruN nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c</div>
<div>--- nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c<span class="Apple-tab-span" style="white-space:pre"> </span>2011-02-17 19:54:35.000000000 +0800</div><div>+++ nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c<span class="Apple-tab-span" style="white-space:pre"> </span>2011-07-28 09:57:06.568333685 +0800</div>
<div>@@ -642,14 +642,14 @@</div><div> return NGX_ERROR;</div><div> }</div><div> </div><div>- if (ngx_strncasecmp(proxy.data, (u_char *) "http://", 7) == 0) {</div><div>+ if (proxy.len > 7 && ngx_strncasecmp(proxy.data, (u_char *) "http://", 7) == 0) {</div>
<div> </div><div> add = 7;</div><div> port = 80;</div><div> </div><div> #if (NGX_HTTP_SSL)</div><div> </div><div>- } else if (ngx_strncasecmp(proxy.data, (u_char *) "https://", 8) == 0) {</div>
<div>+ } else if (proxy.len > 8 && ngx_strncasecmp(proxy.data, (u_char *) "https://", 8) == 0) {</div><div> </div><div> add = 8;</div><div> port = 443;</div></div>