[nginx] Overflow detection in ngx_http_parse_chunked().

Ruslan Ermilov ru at nginx.com
Tue Mar 17 10:00:09 UTC 2015


details:   http://hg.nginx.org/nginx/rev/e370c5fdf4c8
branches:  
changeset: 6014:e370c5fdf4c8
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:27 2015 +0300
description:
Overflow detection in ngx_http_parse_chunked().

diffstat:

 src/http/ngx_http_parse.c |  12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 9653092a79fd -r e370c5fdf4c8 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c	Tue Mar 17 00:26:24 2015 +0300
+++ b/src/http/ngx_http_parse.c	Tue Mar 17 00:26:27 2015 +0300
@@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_
             goto invalid;
 
         case sw_chunk_size:
+            if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+                goto invalid;
+            }
+
             if (ch >= '0' && ch <= '9') {
                 ctx->size = ctx->size * 16 + (ch - '0');
                 break;
@@ -2304,6 +2308,10 @@ data:
     ctx->state = state;
     b->pos = pos;
 
+    if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+        goto invalid;
+    }
+
     switch (state) {
 
     case sw_chunk_start:
@@ -2340,10 +2348,6 @@ data:
 
     }
 
-    if (ctx->size < 0 || ctx->length < 0) {
-        goto invalid;
-    }
-
     return rc;
 
 done:



More information about the nginx-devel mailing list