[nginx] Dav: ngx_http_map_uri_to_path() errors were not checked.

Maxim Dounin mdounin at mdounin.ru
Fri Aug 1 03:31:49 UTC 2014 

details:   http://hg.nginx.org/nginx/rev/1f70fe0d9576
branches:  
changeset: 5781:1f70fe0d9576
user:      FengGu <flygoast at 126.com>
date:      Wed Jul 30 14:45:08 2014 +0800
description:
Dav: ngx_http_map_uri_to_path() errors were not checked.

Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.

diffstat:

 src/http/modules/ngx_http_dav_module.c |  20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diffs (58 lines):

diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -212,7 +212,10 @@ ngx_http_dav_put_handler(ngx_http_reques
         return;
     }
 
-    ngx_http_map_uri_to_path(r, &path, &root, 0);
+    if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) {
+        ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return;
+    }
 
     path.len--;
 
@@ -320,7 +323,9 @@ ngx_http_dav_delete_handler(ngx_http_req
 
 ok:
 
-    ngx_http_map_uri_to_path(r, &path, &root, 0);
+    if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "http delete filename: \"%s\"", path.data);
@@ -488,6 +493,9 @@ ngx_http_dav_mkcol_handler(ngx_http_requ
     }
 
     p = ngx_http_map_uri_to_path(r, &path, &root, 0);
+    if (p == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     *(p - 1) = '\0';
     r->uri.len--;
@@ -666,7 +674,9 @@ destination_done:
 
 overwrite_done:
 
-    ngx_http_map_uri_to_path(r, &path, &root, 0);
+    if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "http copy from: \"%s\"", path.data);
@@ -674,7 +684,9 @@ overwrite_done:
     uri = r->uri;
     r->uri = duri;
 
-    ngx_http_map_uri_to_path(r, &copy.path, &root, 0);
+    if (ngx_http_map_uri_to_path(r, &copy.path, &root, 0) == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     r->uri = uri;

More information about the nginx-devel mailing list