Bug in ngx_http_slice_filter_module ngx_http_slice_parse_content_range function

Maxim Dounin mdounin at mdounin.ru
Sat Jun 29 10:32:51 UTC 2019


On Thu, Jun 27, 2019 at 02:01:27AM +0000, Carey Gister wrote:

> The ngx_http_slice_parse_content_range function assumes that the 
> parsed buffer is null terminated. Since the buffer is an 
> ngx_str_t, that assumption is false. If, by chance, the buffer 
> is null terminated it is simply a matter of luck, and not 
> design.

In many cases ngx_str_t is used for null-terminated strings. 
Most simple example is directive arguments during configuration 
parsing - while arguments are using ngx_str_t type, they are 
guaranteed to be null-terminated.  Other examples are input 
headers, and upstream input headers.  The latter implies that 
response Content-Range header will be null-terminated as seen by 
the slice module - unless you are producing it with some custom 

> In particular, if the headers_out.content_range ngx_str_t was 
> allocated in the ngx_http_range_filter_module then the buffer 
> was allocated as a non-zero terminated buffer by ngx_pnalloc.

The range filter works after the slice module, hence whatever is 
set in the headers_out.content_range field by the range filter 
cannot affect slice module.  Further, if slice module ever uses 
Content-Range header set by the range filter, this would indicate 
a severe bug, as it is expected to use Content-Range header from a 
backend response, not Content-Range header from the resulting 
response to the client.

Maxim Dounin

More information about the nginx-devel mailing list