[nginx] Core: overflow detection in number parsing functions.

Maxim Dounin mdounin at mdounin.ru
Tue Apr 7 13:04:49 UTC 2015


details:   http://hg.nginx.org/nginx/rev/516d8e299273
branches:  stable-1.6
changeset: 6083:516d8e299273
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:15 2015 +0300
description:
Core: overflow detection in number parsing functions.

diffstat:

 src/core/ngx_parse.c  |  25 +++++++-----
 src/core/ngx_string.c |  99 +++++++++++++++++++++++++++++---------------------
 2 files changed, 72 insertions(+), 52 deletions(-)

diffs (truncated from 317 to 300 lines):

diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -12,10 +12,9 @@
 ssize_t
 ngx_parse_size(ngx_str_t *line)
 {
-    u_char     unit;
-    size_t     len;
-    ssize_t    size;
-    ngx_int_t  scale;
+    u_char   unit;
+    size_t   len;
+    ssize_t  size, scale, max;
 
     len = line->len;
     unit = line->data[len - 1];
@@ -24,21 +23,24 @@ ngx_parse_size(ngx_str_t *line)
     case 'K':
     case 'k':
         len--;
+        max = NGX_MAX_SIZE_T_VALUE / 1024;
         scale = 1024;
         break;
 
     case 'M':
     case 'm':
         len--;
+        max = NGX_MAX_SIZE_T_VALUE / (1024 * 1024);
         scale = 1024 * 1024;
         break;
 
     default:
+        max = NGX_MAX_SIZE_T_VALUE;
         scale = 1;
     }
 
     size = ngx_atosz(line->data, len);
-    if (size == NGX_ERROR) {
+    if (size == NGX_ERROR || size > max) {
         return NGX_ERROR;
     }
 
@@ -51,10 +53,9 @@ ngx_parse_size(ngx_str_t *line)
 off_t
 ngx_parse_offset(ngx_str_t *line)
 {
-    u_char     unit;
-    off_t      offset;
-    size_t     len;
-    ngx_int_t  scale;
+    u_char  unit;
+    off_t   offset, scale, max;
+    size_t  len;
 
     len = line->len;
     unit = line->data[len - 1];
@@ -63,27 +64,31 @@ ngx_parse_offset(ngx_str_t *line)
     case 'K':
     case 'k':
         len--;
+        max = NGX_MAX_OFF_T_VALUE / 1024;
         scale = 1024;
         break;
 
     case 'M':
     case 'm':
         len--;
+        max = NGX_MAX_OFF_T_VALUE / (1024 * 1024);
         scale = 1024 * 1024;
         break;
 
     case 'G':
     case 'g':
         len--;
+        max = NGX_MAX_OFF_T_VALUE / (1024 * 1024 * 1024);
         scale = 1024 * 1024 * 1024;
         break;
 
     default:
+        max = NGX_MAX_OFF_T_VALUE;
         scale = 1;
     }
 
     offset = ngx_atoof(line->data, len);
-    if (offset == NGX_ERROR) {
+    if (offset == NGX_ERROR || offset > max) {
         return NGX_ERROR;
     }
 
diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -897,26 +897,28 @@ ngx_filename_cmp(u_char *s1, u_char *s2,
 ngx_int_t
 ngx_atoi(u_char *line, size_t n)
 {
-    ngx_int_t  value;
+    ngx_int_t  value, cutoff, cutlim;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_INT_T_VALUE / 10;
+    cutlim = NGX_MAX_INT_T_VALUE % 10;
+
     for (value = 0; n--; line++) {
         if (*line < '0' || *line > '9') {
             return NGX_ERROR;
         }
 
+        if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+            return NGX_ERROR;
+        }
+
         value = value * 10 + (*line - '0');
     }
 
-    if (value < 0) {
-        return NGX_ERROR;
-
-    } else {
-        return value;
-    }
+    return value;
 }
 
 
@@ -925,13 +927,16 @@ ngx_atoi(u_char *line, size_t n)
 ngx_int_t
 ngx_atofp(u_char *line, size_t n, size_t point)
 {
-    ngx_int_t   value;
+    ngx_int_t   value, cutoff, cutlim;
     ngx_uint_t  dot;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_INT_T_VALUE / 10;
+    cutlim = NGX_MAX_INT_T_VALUE % 10;
+
     dot = 0;
 
     for (value = 0; n--; line++) {
@@ -953,98 +958,107 @@ ngx_atofp(u_char *line, size_t n, size_t
             return NGX_ERROR;
         }
 
+        if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+            return NGX_ERROR;
+        }
+
         value = value * 10 + (*line - '0');
         point -= dot;
     }
 
     while (point--) {
+        if (value > cutoff) {
+            return NGX_ERROR;
+        }
+
         value = value * 10;
     }
 
-    if (value < 0) {
-        return NGX_ERROR;
-
-    } else {
-        return value;
-    }
+    return value;
 }
 
 
 ssize_t
 ngx_atosz(u_char *line, size_t n)
 {
-    ssize_t  value;
+    ssize_t  value, cutoff, cutlim;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_SIZE_T_VALUE / 10;
+    cutlim = NGX_MAX_SIZE_T_VALUE % 10;
+
     for (value = 0; n--; line++) {
         if (*line < '0' || *line > '9') {
             return NGX_ERROR;
         }
 
+        if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+            return NGX_ERROR;
+        }
+
         value = value * 10 + (*line - '0');
     }
 
-    if (value < 0) {
-        return NGX_ERROR;
-
-    } else {
-        return value;
-    }
+    return value;
 }
 
 
 off_t
 ngx_atoof(u_char *line, size_t n)
 {
-    off_t  value;
+    off_t  value, cutoff, cutlim;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_OFF_T_VALUE / 10;
+    cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
     for (value = 0; n--; line++) {
         if (*line < '0' || *line > '9') {
             return NGX_ERROR;
         }
 
+        if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+            return NGX_ERROR;
+        }
+
         value = value * 10 + (*line - '0');
     }
 
-    if (value < 0) {
-        return NGX_ERROR;
-
-    } else {
-        return value;
-    }
+    return value;
 }
 
 
 time_t
 ngx_atotm(u_char *line, size_t n)
 {
-    time_t  value;
+    time_t  value, cutoff, cutlim;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_TIME_T_VALUE / 10;
+    cutlim = NGX_MAX_TIME_T_VALUE % 10;
+
     for (value = 0; n--; line++) {
         if (*line < '0' || *line > '9') {
             return NGX_ERROR;
         }
 
+        if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+            return NGX_ERROR;
+        }
+
         value = value * 10 + (*line - '0');
     }
 
-    if (value < 0) {
-        return NGX_ERROR;
-
-    } else {
-        return value;
-    }
+    return value;
 }
 
 
@@ -1052,13 +1066,19 @@ ngx_int_t
 ngx_hextoi(u_char *line, size_t n)
 {
     u_char     c, ch;
-    ngx_int_t  value;
+    ngx_int_t  value, cutoff;
 
     if (n == 0) {
         return NGX_ERROR;
     }
 
+    cutoff = NGX_MAX_INT_T_VALUE / 16;
+
     for (value = 0; n--; line++) {
+        if (value > cutoff) {
+            return NGX_ERROR;
+        }
+



More information about the nginx-devel mailing list