[PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin mdounin at mdounin.ru
Wed Jun 1 03:56:39 MSD 2011


Hello!

On Wed, Jun 01, 2011 at 12:24:10AM +0800, Simon Liu wrote:

> this bug will give rise to nginx(version >= 0.8.40) core dump, and it was
> caused by this feature:
> 
>     *) Feature: a "fastcgi_param" directive with value starting with
>        "HTTP_" overrides a client request header line.
> 
> 
> When we difine fastcgi_param directive with value starting with "HTTP_",
> nginx  malloc a array(size is header_params that is number of value starting
> with "HTTP_"), and if request header contain this value(HTTTP_xxx), nginx
> will add this header pointer to array, but if header is duplicated, this
> array will cross-border.
> 
> e.g. if the config contain this directive (fastcgi_param HTTP_HOST
> $http_host), and then request header send multi-duplicated header(Host),
> nginx will core dump.

Yes, thank you, it's known problem.

[...]

> +static ngx_inline ngx_int_t
> +ngx_http_fastcgi_ignored_header(ngx_uint_t hash, ngx_uint_t header_params,
> ngx_uint_t *ignored)
> +{
> +    ngx_uint_t          n;
> +
> +    for (n = 0; n < header_params; n++) {
> +        if (hash == ignored[n]) {
> +            return NGX_OK;

You can't rely on hash here, as it's expected to have collisions.

[...]

> @@ -2374,7 +2363,22 @@
> 
>              hk->key.len = src[i].key.len - 5;
>              hk->key.data = src[i].key.data + 5;
> -            hk->key_hash = ngx_hash_key_lc(hk->key.data, hk->key.len);
> +
> +            params_hash = 0;
> +            for (n = 5; n < src[i].key.len; n++) {
> +                ch = src[i].key.data[n];
> +
> +                if (ch >= 'A' && ch <= 'Z') {
> +                    ch |= 0x20;
> +
> +                } else if (ch == '_') {
> +                    ch = '-';
> +                }

This makes impossible to overwrite headers with real underscores 
(if underscores_in_headers are allowed).

Maxim Dounin



More information about the nginx-devel mailing list