[PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin mdounin at mdounin.ru
Thu Jun 2 13:52:54 MSD 2011


Hello!

On Thu, Jun 02, 2011 at 03:28:50PM +0800, Simon Liu wrote:

> Thanks for your review.
> 
> this is new patch:

[...]

> +static ngx_inline ngx_int_t
> +ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored, ngx_table_elt_t
> *header, ngx_uint_t header_params)
> +{
> +    ngx_uint_t          n;
> +    ngx_table_elt_t    *h;
> +
> +    for (n = 0; n < header_params; n++) {
> +        h = ignored[n];
> +
> +        if (header->key.len == h->key.len
> +            && ngx_memcmp(header->lowcase_key, h->lowcase_key,
> header->key.len) == 0) {
> +
> +            return NGX_OK;

This relies on lowcase_key of the first added header and the 
duplicate one to match, but it's may not be true, e.g.

X-Blah-Blah
X_Blah_Blah

would have non-matching lowcase_key (but both should be ignored, 
as they both maps to HTTP_BLAH_BLAH fastcgi key).  Request with 
such duplicate headers will cause the same buffer overflow as in 
the original bug (again, assuming underscores_in_headers is on).

Maxim Dounin



More information about the nginx-devel mailing list