[PATCH] SPDY: Kill unsafe version of ngx_spdy_frame_write_len macro.
Piotr Sikora
piotr.sikora at frickle.com
Mon Jun 25 14:42:31 UTC 2012
commit 13d9f7edd9ad88e2bb1fb32a61b439c332c04076
Author: Piotr Sikora <piotr.sikora at frickle.com>
Date: Mon Jun 25 14:32:33 2012 +0000
Kill unsafe version of ngx_spdy_frame_write_len macro.
This macro was accessing 4 bytes (via both: cast to uint32_t and
read of p[3]), instead of 3 bytes it was supposed to, which could
result in reads outside of the allocated memory region and SIGSEGV.
Signed-off-by: Piotr Sikora <piotr.sikora at frickle.com>
diff --git a/src/http/ngx_http_spdy.h b/src/http/ngx_http_spdy.h
index b26e05d..018624b 100644
--- a/src/http/ngx_http_spdy.h
+++ b/src/http/ngx_http_spdy.h
@@ -112,9 +112,6 @@ void ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
#define ngx_spdy_frame_write_uint32(p, s) \
(*(uint32_t *) (p) = htonl(s), (p) + 4)
-#define ngx_spdy_frame_write_len(p, s) \
- (*(uint32_t *) (p) = htonl(((s) << 8) | (p)[3]), (p) + 3)
-
#define ngx_spdy_frame_write_len_unsafe(p, s) \
(*(uint32_t *) (p) = htonl((s) << 8), (p) + 3)
@@ -131,13 +128,13 @@ void ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
(p)[2] = (u_char) (s) >> 8, \
(p)[3] = (u_char) (s), (p) + 4)
+#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
+
+#endif
+
#define ngx_spdy_frame_write_len(p, s) \
((p)[0] = (u_char) ((s) >> 16), \
(p)[1] = (u_char) ((s) >> 8), \
(p)[2] = (u_char) (s), (p) + 3)
-#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
-
-#endif
-
#endif /* _NGX_HTTP_SPDY_H_INCLUDED_ */
More information about the nginx-devel
mailing list