[PATCH] Fastcgi: core dump was caused by duplicated request header
Maxim Dounin
mdounin at mdounin.ru
Thu Jun 2 13:52:54 MSD 2011
Hello!
On Thu, Jun 02, 2011 at 03:28:50PM +0800, Simon Liu wrote:
> Thanks for your review.
>
> this is new patch:
[...]
> +static ngx_inline ngx_int_t
> +ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored, ngx_table_elt_t
> *header, ngx_uint_t header_params)
> +{
> + ngx_uint_t n;
> + ngx_table_elt_t *h;
> +
> + for (n = 0; n < header_params; n++) {
> + h = ignored[n];
> +
> + if (header->key.len == h->key.len
> + && ngx_memcmp(header->lowcase_key, h->lowcase_key,
> header->key.len) == 0) {
> +
> + return NGX_OK;
This relies on lowcase_key of the first added header and the
duplicate one to match, but it's may not be true, e.g.
X-Blah-Blah
X_Blah_Blah
would have non-matching lowcase_key (but both should be ignored,
as they both maps to HTTP_BLAH_BLAH fastcgi key). Request with
such duplicate headers will cause the same buffer overflow as in
the original bug (again, assuming underscores_in_headers is on).
Maxim Dounin
More information about the nginx-devel
mailing list