[BUG] Core dump for invalid proxy url

lanshun zhou zls.sogou at gmail.com
Thu Jul 28 02:29:28 UTC 2011


src/http/modules/ngx_http_proxy_module.c:645 in ngx_http_proxy_eval

For some service the proxy url is specified by user from arguments. after
ngx_http_script_run,  proxy.len may be smaller than "http://" without the
terminating '\0'. For example, {len = 4, data = "http://abcdefg"}. It passes
the
schema check, but url.url.len = proxy.len - 7 becomes a very big number.
the process will core during later memcpy.

simple fix:

diff -ruN nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c
nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c
--- nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c 2011-02-17
19:54:35.000000000 +0800
+++ nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c 2011-07-28
09:57:06.568333685 +0800
@@ -642,14 +642,14 @@
         return NGX_ERROR;
     }

-    if (ngx_strncasecmp(proxy.data, (u_char *) "http://", 7) == 0) {
+    if (proxy.len > 7 && ngx_strncasecmp(proxy.data, (u_char *) "http://",
7) == 0) {

         add = 7;
         port = 80;

 #if (NGX_HTTP_SSL)

-    } else if (ngx_strncasecmp(proxy.data, (u_char *) "https://", 8) == 0)
{
+    } else if (proxy.len > 8 && ngx_strncasecmp(proxy.data, (u_char *)
"https://", 8) == 0) {

         add = 8;
         port = 443;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20110728/cc688cc0/attachment.html>


More information about the nginx-devel mailing list