[nginx] HTTP/2: avoid left-shifting signed integer into the sign bit.
Sergey Kandaurov
pluknet at nginx.com
Thu Jul 7 18:08:24 UTC 2016
details: http://hg.nginx.org/nginx/rev/ad736705a744
branches:
changeset: 6627:ad736705a744
user: Sergey Kandaurov <pluknet at nginx.com>
date: Thu Jul 07 21:03:21 2016 +0300
description:
HTTP/2: avoid left-shifting signed integer into the sign bit.
On non-aligned platforms, properly cast argument before left-shifting it in
ngx_http_v2_parse_uint32 that is used with u_char. Otherwise it propagates
to int to hold the value and can step over the sign bit. Usually, on known
compilers, this results in negation. Furthermore, a subsequent store into a
wider type, that is ngx_uint_t on 64-bit platforms, results in sign-extension.
In practice, this can be observed in debug log as a very large exclusive bit
value, when client sent PRIORITY frame with exclusive bit set:
: *14 http2 PRIORITY frame sid:5 on 1 excl:8589934591 weight:17
Found with UndefinedBehaviorSanitizer.
diffstat:
src/http/v2/ngx_http_v2.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r b3682580c1bd -r ad736705a744 src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h Thu Jul 07 21:02:28 2016 +0300
+++ b/src/http/v2/ngx_http_v2.h Thu Jul 07 21:03:21 2016 +0300
@@ -298,7 +298,7 @@ size_t ngx_http_v2_huff_encode(u_char *s
#define ngx_http_v2_parse_uint16(p) ((p)[0] << 8 | (p)[1])
#define ngx_http_v2_parse_uint32(p) \
- ((p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3])
+ ((uint32_t) (p)[0] << 24 | (p)[1] << 16 | (p)[2] << 8 | (p)[3])
#endif
More information about the nginx-devel
mailing list