[njs] Fixed Response headers iteration in Fetch API.

Dmitry Volyntsev xeioex at nginx.com
Thu Apr 14 23:08:39 UTC 2022


details:   https://hg.nginx.org/njs/rev/6b226ed1b25d
branches:  
changeset: 1838:6b226ed1b25d
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Thu Apr 14 16:07:34 2022 -0700
description:
Fixed Response headers iteration in Fetch API.

Previously, heap-use-after-free might occur when HTTP Response was
received with more than 8 headers and headers iteration is used.

The fix is not to assume that pointer to the beginning of the keys array
never changes.  The pointer may change when array is resized.

The issue was introduced in 81040de6b085 (0.5.1).

This closes #492 issue on Github.

diffstat:

 nginx/ngx_js_fetch.c |  2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diffs (15 lines):

diff -r eab387c72d90 -r 6b226ed1b25d nginx/ngx_js_fetch.c
--- a/nginx/ngx_js_fetch.c	Thu Apr 14 15:39:15 2022 -0700
+++ b/nginx/ngx_js_fetch.c	Thu Apr 14 16:07:34 2022 -0700
@@ -2234,10 +2234,10 @@ ngx_response_js_ext_keys(njs_vm_t *vm, n
 
     length = 0;
     headers = http->headers.elts;
-    start = njs_vm_array_start(vm, keys);
 
     for (i = 0; i < http->headers.nelts; i++) {
         h = &headers[i];
+        start = njs_vm_array_start(vm, keys);
 
         for (k = 0; k < length; k++) {
             njs_value_string_get(njs_argument(start, k), &hdr);



More information about the nginx-devel mailing list