[PATCH] SPDY: Kill unsafe version of ngx_spdy_frame_write_len macro.

Piotr Sikora piotr.sikora at frickle.com
Mon Jun 25 14:42:31 UTC 2012


commit 13d9f7edd9ad88e2bb1fb32a61b439c332c04076
Author: Piotr Sikora <piotr.sikora at frickle.com>
Date:   Mon Jun 25 14:32:33 2012 +0000

    Kill unsafe version of ngx_spdy_frame_write_len macro.

    This macro was accessing 4 bytes (via both: cast to uint32_t and
    read of p[3]), instead of 3 bytes it was supposed to, which could
    result in reads outside of the allocated memory region and SIGSEGV.

    Signed-off-by: Piotr Sikora <piotr.sikora at frickle.com>

diff --git a/src/http/ngx_http_spdy.h b/src/http/ngx_http_spdy.h
index b26e05d..018624b 100644
--- a/src/http/ngx_http_spdy.h
+++ b/src/http/ngx_http_spdy.h
@@ -112,9 +112,6 @@ void ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
#define ngx_spdy_frame_write_uint32(p, s)                                     \
     (*(uint32_t *) (p) = htonl(s), (p) + 4)

-#define ngx_spdy_frame_write_len(p, s)                                        \
-    (*(uint32_t *) (p) = htonl(((s) << 8) | (p)[3]), (p) + 3)
-
#define ngx_spdy_frame_write_len_unsafe(p, s)                                 \
     (*(uint32_t *) (p) = htonl((s) << 8), (p) + 3)

@@ -131,13 +128,13 @@ void ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
     (p)[2] = (u_char) (s) >> 8,                                               \
     (p)[3] = (u_char) (s), (p) + 4)

+#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
+
+#endif
+
#define ngx_spdy_frame_write_len(p, s)                                        \
     ((p)[0] = (u_char) ((s) >> 16),                                           \
     (p)[1] = (u_char) ((s) >> 8),                                             \
     (p)[2] = (u_char) (s), (p) + 3)

-#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
-
-#endif
-
#endif /* _NGX_HTTP_SPDY_H_INCLUDED_ */



More information about the nginx-devel mailing list