[nginx] Overflow detection in ngx_http_parse_chunked().
Maxim Dounin
mdounin at mdounin.ru
Tue Apr 7 13:05:26 UTC 2015
details: http://hg.nginx.org/nginx/rev/b5094e26e4e5
branches: stable-1.6
changeset: 6088:b5094e26e4e5
user: Ruslan Ermilov <ru at nginx.com>
date: Tue Mar 17 00:26:27 2015 +0300
description:
Overflow detection in ngx_http_parse_chunked().
diffstat:
src/http/ngx_http_parse.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diffs (36 lines):
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2104,6 +2104,10 @@ ngx_http_parse_chunked(ngx_http_request_
goto invalid;
case sw_chunk_size:
+ if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+ goto invalid;
+ }
+
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
@@ -2253,6 +2257,10 @@ data:
ctx->state = state;
b->pos = pos;
+ if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+ goto invalid;
+ }
+
switch (state) {
case sw_chunk_start:
@@ -2289,10 +2297,6 @@ data:
}
- if (ctx->size < 0 || ctx->length < 0) {
- goto invalid;
- }
-
return rc;
done:
More information about the nginx-devel
mailing list