[nginx] Core: allow strings without null-termination in ngx_parse_url().
Valentin Bartenev
vbart at nginx.com
Fri Mar 25 13:05:31 UTC 2016
details: http://hg.nginx.org/nginx/rev/5df5d7d771f6
branches:
changeset: 6463:5df5d7d771f6
user: Piotr Sikora <piotrsikora at google.com>
date: Fri Feb 26 17:30:27 2016 -0800
description:
Core: allow strings without null-termination in ngx_parse_url().
This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.
Found with MemorySanitizer.
Signed-off-by: Piotr Sikora <piotrsikora at google.com>
diffstat:
src/core/ngx_inet.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diffs (22 lines):
diff -r fd4b52e74f96 -r 5df5d7d771f6 src/core/ngx_inet.c
--- a/src/core/ngx_inet.c Fri Mar 25 14:10:38 2016 +0300
+++ b/src/core/ngx_inet.c Fri Feb 26 17:30:27 2016 -0800
@@ -529,14 +529,16 @@ ngx_int_t
ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u)
{
u_char *p;
+ size_t len;
p = u->url.data;
+ len = u->url.len;
- if (ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) {
+ if (len >= 5 && ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) {
return ngx_parse_unix_domain_url(pool, u);
}
- if (p[0] == '[') {
+ if (len && p[0] == '[') {
return ngx_parse_inet6_url(pool, u);
}
More information about the nginx-devel
mailing list