Welcome! Log In Create A New Profile

Advanced

[nginx] SPDY: fixed corruption of headers with names longer than...

Previous Message Next Message
Forum List Message List New Topic Print View
Valentin Bartenev
August 15, 2013 11:20AM
details: http://hg.nginx.org/nginx/rev/2be1a9ce9d8e
branches:
changeset: 5323:2be1a9ce9d8e
user: Valentin Bartenev <vbart@nginx.com>
date: Thu Aug 15 19:14:58 2013 +0400
description:
SPDY: fixed corruption of headers with names longer than 255.

It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.

diffstat:

src/http/ngx_http_spdy.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)

diffs (69 lines):

diff -r bdb3588681c9 -r 2be1a9ce9d8e src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c Thu Aug 15 19:14:33 2013 +0400
+++ b/src/http/ngx_http_spdy.c Thu Aug 15 19:14:58 2013 +0400
@@ -809,6 +809,8 @@ ngx_http_spdy_state_headers(ngx_http_spd
sc->zstream_in.next_in = pos;
sc->zstream_in.avail_in = size;
sc->zstream_in.next_out = buf->last;
+
+ /* one byte is reserved for null-termination of the last header value */
sc->zstream_in.avail_out = buf->end - buf->last - 1;

z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@@ -912,9 +914,14 @@ ngx_http_spdy_state_headers(ngx_http_spd
return ngx_http_spdy_state_headers_error(sc, pos, end);
}

+ /* null-terminate the last processed header name or value */
+ *buf->pos = '\0';
+
buf = r->header_in;

sc->zstream_in.next_out = buf->last;
+
+ /* one byte is reserved for null-termination */
sc->zstream_in.avail_out = buf->end - buf->last - 1;

z = inflate(&sc->zstream_in, Z_NO_FLUSH);
@@ -996,6 +1003,9 @@ ngx_http_spdy_state_headers(ngx_http_spd
ngx_http_spdy_state_headers);
}

+ /* null-terminate the last header value */
+ *buf->pos = '\0';
+
ngx_http_spdy_run_request(r);

return ngx_http_spdy_state_complete(sc, pos, end);
@@ -1936,6 +1946,9 @@ ngx_http_spdy_parse_header(ngx_http_requ
return NGX_HTTP_PARSE_INVALID_HEADER;
}

+ /* null-terminate the previous header value */
+ *p = '\0';
+
p += NGX_SPDY_NV_NLEN_SIZE;

r->header_name_end = p + len;
@@ -2005,6 +2018,9 @@ ngx_http_spdy_parse_header(ngx_http_requ
return NGX_ERROR;
}

+ /* null-terminate header name */
+ *p = '\0';
+
p += NGX_SPDY_NV_VLEN_SIZE;

r->header_end = p + len;
@@ -2163,11 +2179,9 @@ ngx_http_spdy_handle_request_header(ngx_

h->key.len = r->lowcase_index;
h->key.data = r->header_name_start;
- h->key.data[h->key.len] = '\0';

h->value.len = r->header_size;
h->value.data = r->header_start;
- h->value.data[h->value.len] = '\0';

h->lowcase_key = h->key.data;


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] SPDY: fixed corruption of headers with names longer than...

Valentin Bartenev 813 August 15, 2013 11:20AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 109
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready