[BUG] Core dump for invalid proxy url
lanshun zhou
zls.sogou at gmail.com
Thu Jul 28 02:29:28 UTC 2011
src/http/modules/ngx_http_proxy_module.c:645 in ngx_http_proxy_eval
For some service the proxy url is specified by user from arguments. after
ngx_http_script_run, proxy.len may be smaller than "http://" without the
terminating '\0'. For example, {len = 4, data = "http://abcdefg"}. It passes
the
schema check, but url.url.len = proxy.len - 7 becomes a very big number.
the process will core during later memcpy.
simple fix:
diff -ruN nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c
nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c
--- nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c 2011-02-17
19:54:35.000000000 +0800
+++ nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c 2011-07-28
09:57:06.568333685 +0800
@@ -642,14 +642,14 @@
return NGX_ERROR;
}
- if (ngx_strncasecmp(proxy.data, (u_char *) "http://", 7) == 0) {
+ if (proxy.len > 7 && ngx_strncasecmp(proxy.data, (u_char *) "http://",
7) == 0) {
add = 7;
port = 80;
#if (NGX_HTTP_SSL)
- } else if (ngx_strncasecmp(proxy.data, (u_char *) "https://", 8) == 0)
{
+ } else if (proxy.len > 8 && ngx_strncasecmp(proxy.data, (u_char *)
"https://", 8) == 0) {
add = 8;
port = 443;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20110728/cc688cc0/attachment.html>
More information about the nginx-devel
mailing list