[nginx] Overflow detection in ngx_http_parse_chunked().
Ruslan Ermilov
ru at nginx.com
Tue Mar 17 10:00:09 UTC 2015
details: http://hg.nginx.org/nginx/rev/e370c5fdf4c8
branches:
changeset: 6014:e370c5fdf4c8
user: Ruslan Ermilov <ru at nginx.com>
date: Tue Mar 17 00:26:27 2015 +0300
description:
Overflow detection in ngx_http_parse_chunked().
diffstat:
src/http/ngx_http_parse.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diffs (36 lines):
diff -r 9653092a79fd -r e370c5fdf4c8 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Tue Mar 17 00:26:24 2015 +0300
+++ b/src/http/ngx_http_parse.c Tue Mar 17 00:26:27 2015 +0300
@@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_
goto invalid;
case sw_chunk_size:
+ if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+ goto invalid;
+ }
+
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
@@ -2304,6 +2308,10 @@ data:
ctx->state = state;
b->pos = pos;
+ if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+ goto invalid;
+ }
+
switch (state) {
case sw_chunk_start:
@@ -2340,10 +2348,6 @@ data:
}
- if (ctx->size < 0 || ctx->length < 0) {
- goto invalid;
- }
-
return rc;
done:
More information about the nginx-devel
mailing list