[nginx] SSI: avoid potential buffer overflow.
Maxim Dounin
mdounin at mdounin.ru
Thu Jul 18 15:28:40 UTC 2019
details: https://hg.nginx.org/nginx/rev/d75153522557
branches:
changeset: 7539:d75153522557
user: Maxim Dounin <mdounin at mdounin.ru>
date: Thu Jul 18 18:27:53 2019 +0300
description:
SSI: avoid potential buffer overflow.
When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written. The message is mostly identical to
one used in similar cases in the preequal state.
Reported by Patrick Wollgast.
diffstat:
src/http/modules/ngx_http_ssi_filter_module.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (15 lines):
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -1254,9 +1254,9 @@ ngx_http_ssi_parse(ngx_http_request_t *r
case '-':
state = ssi_error_end0_state;
- ctx->param->key.data[ctx->param->key.len++] = ch;
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
- "invalid \"%V\" parameter in \"%V\" SSI command",
+ "unexpected \"-\" symbol after \"%V\" "
+ "parameter in \"%V\" SSI command",
&ctx->param->key, &ctx->command);
break;
More information about the nginx-devel
mailing list