Welcome! Log In Create A New Profile

[nginx] Fixed ngx_parse_time() out of bounds access (ticket #821).

Forum List Message List New Topic Print View

Maxim Dounin

October 30, 2015 03:18PM

details: http://hg.nginx.org/nginx/rev/4ccb37b04454
branches:
changeset: 6287:4ccb37b04454
user: Maxim Dounin <mdounin@mdounin.ru>
date: Fri Oct 30 21:43:30 2015 +0300
description:
Fixed ngx_parse_time() out of bounds access (ticket #821).

The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.

diffstat:

src/core/ngx_parse.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
break;

case 'm':
- if (*p == 's') {
+ if (p < last && *p == 's') {
if (is_sec || step >= st_msec) {
return NGX_ERROR;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] Fixed ngx_parse_time() out of bounds access (ticket #821).	Maxim Dounin	553	October 30, 2015 03:18PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 248

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018