[PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu simohayha.bobo at gmail.com
Fri Jun 10 10:53:11 MSD 2011 

Thanks!

This is new patch:

Index: src/http/modules/ngx_http_fastcgi_module.c
===================================================================
--- src/http/modules/ngx_http_fastcgi_module.c    (revision 3937)
+++ src/http/modules/ngx_http_fastcgi_module.c    (working copy)
@@ -165,7 +165,10 @@
 static char *ngx_http_fastcgi_lowat_check(ngx_conf_t *cf, void *post,
     void *data);

+static ngx_int_t ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored,
+    ngx_table_elt_t *header, ngx_uint_t header_params, ngx_uint_t
allow_underscores)

+
 static ngx_conf_post_t  ngx_http_fastcgi_lowat_post =
     { ngx_http_fastcgi_lowat_check };

@@ -685,6 +688,57 @@


 static ngx_int_t
+ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored, ngx_table_elt_t
*header,
+    ngx_uint_t header_params, ngx_uint_t allow_underscores)
+{
+    ngx_uint_t          n, i, duplicate;
+    ngx_table_elt_t    *h;
+
+    for (n = 0; n < header_params; n++) {
+        h = ignored[n];
+
+        if (h == header) {
+            return NGX_OK;
+        }
+
+        if (header->key.len != h->key.len) {
+            continue;
+        }
+
+        if (allow_underscores) {
+            duplicate = 1;
+
+            for (i = 0; i < header->key.len; i++) {
+
+                if (header->lowcase_key[i] != h->lowcase_key[i]) {
+                    if ((header->lowcase_key[i] == '_' && h->lowcase_key[i]
== '-')
+                         || (header->lowcase_key[i] == '-' &&
h->lowcase_key[i] == '_')) {
+                        continue;
+                    }
+
+                    duplicate = 0;
+                    break;
+                }
+            }
+
+            if (duplicate) {
+                return NGX_OK;
+            }
+
+        } else {
+
+            if (ngx_memcmp(header->lowcase_key, h->lowcase_key,
header->key.len) == 0) {
+
+                return NGX_OK;
+            }
+        }
+    }
+
+    return NGX_DECLINED;
+}
+
+
+static ngx_int_t
 ngx_http_fastcgi_create_request(ngx_http_request_t *r)
 {
     off_t                         file_pos;
@@ -699,6 +753,7 @@
     ngx_http_script_code_pt       code;
     ngx_http_script_engine_t      e, le;
     ngx_http_fastcgi_header_t    *h;
+    ngx_http_core_srv_conf_t     *cscf;
     ngx_http_fastcgi_loc_conf_t  *flcf;
     ngx_http_script_len_code_pt   lcode;

@@ -707,6 +762,7 @@
     ignored = NULL;

     flcf = ngx_http_get_module_loc_conf(r, ngx_http_fastcgi_module);
+    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

     if (flcf->params_len) {
         ngx_memzero(&le, sizeof(ngx_http_script_engine_t));
@@ -784,6 +840,13 @@
                 }

                 if (ngx_hash_find(&flcf->headers_hash, hash, lowcase_key,
n)) {
+
+                    if (header_params == flcf->header_params ||
+                        ngx_http_fastcgi_ignored_header(ignored,
&header[i],
+                            header_params, cscf->underscores_in_headers) ==
NGX_OK) {
+                        continue;
+                    }
+
                     ignored[header_params++] = &header[i];
                     continue;
                 }
@@ -915,10 +978,9 @@
                 i = 0;
             }

-            for (n = 0; n < header_params; n++) {
-                if (&header[i] == ignored[n]) {
-                    goto next;
-                }
+            if (ngx_http_fastcgi_ignored_header(ignored, &header[i],
+                    header_params, cscf->underscores_in_headers) == NGX_OK)
{
+                continue;
             }

             key_len = sizeof("HTTP_") - 1 + header[i].key.len;
@@ -964,9 +1026,6 @@
                            "fastcgi param: \"%*s: %*s\"",
                            key_len, b->last - (key_len + val_len),
                            val_len, b->last - val_len);
-        next:
-
-            continue;
         }
     }



On Thu, Jun 2, 2011 at 5:52 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Jun 02, 2011 at 03:28:50PM +0800, Simon Liu wrote:
>
> > Thanks for your review.
> >
> > this is new patch:
>
> [...]
>
> > +static ngx_inline ngx_int_t
> > +ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored,
> ngx_table_elt_t
> > *header, ngx_uint_t header_params)
> > +{
> > +    ngx_uint_t          n;
> > +    ngx_table_elt_t    *h;
> > +
> > +    for (n = 0; n < header_params; n++) {
> > +        h = ignored[n];
> > +
> > +        if (header->key.len == h->key.len
> > +            && ngx_memcmp(header->lowcase_key, h->lowcase_key,
> > header->key.len) == 0) {
> > +
> > +            return NGX_OK;
>
> This relies on lowcase_key of the first added header and the
> duplicate one to match, but it's may not be true, e.g.
>
> X-Blah-Blah
> X_Blah_Blah
>
> would have non-matching lowcase_key (but both should be ignored,
> as they both maps to HTTP_BLAH_BLAH fastcgi key).  Request with
> such duplicate headers will cause the same buffer overflow as in
> the original bug (again, assuming underscores_in_headers is on).
>
> Maxim Dounin
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://nginx.org/mailman/listinfo/nginx-devel
>



-- 
博观约取

豆瓣:www.douban.com/people/mustang/

blog: www.pagefault.info

twitter: www.twitter.com/minibobo

sina 微博:  www.weibo.com/diaoliang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110610/78b689f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fastcgi.patch
Type: text/x-patch
Size: 3838 bytes
Desc: not available
URL: <http://nginx.org/pipermail/nginx-devel/attachments/20110610/78b689f3/attachment.bin>

More information about the nginx-devel mailing list