Welcome! Log In Create A New Profile

Advanced

[PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu
May 31, 2011 12:26PM
this bug will give rise to nginx(version >= 0.8.40) core dump, and it was
caused by this feature:

*) Feature: a "fastcgi_param" directive with value starting with
"HTTP_" overrides a client request header line.


When we difine fastcgi_param directive with value starting with "HTTP_",
nginx malloc a array(size is header_params that is number of value starting
with "HTTP_"), and if request header contain this value(HTTTP_xxx), nginx
will add this header pointer to array, but if header is duplicated, this
array will cross-border.

e.g. if the config contain this directive (fastcgi_param HTTP_HOST
$http_host), and then request header send multi-duplicated header(Host),
nginx will core dump.


Index: src/http/modules/ngx_http_fastcgi_module.c
===================================================================
--- src/http/modules/ngx_http_fastcgi_module.c (revision 3929)
+++ src/http/modules/ngx_http_fastcgi_module.c (working copy)
@@ -165,7 +165,10 @@
static char *ngx_http_fastcgi_lowat_check(ngx_conf_t *cf, void *post,
void *data);

+static ngx_inline ngx_int_t ngx_http_fastcgi_ignored_header(ngx_uint_t
hash,
+ ngx_uint_t header_params, ngx_uint_t *ignored);

+
static ngx_conf_post_t ngx_http_fastcgi_lowat_post =
{ ngx_http_fastcgi_lowat_check };

@@ -684,18 +687,32 @@
#endif


+static ngx_inline ngx_int_t
+ngx_http_fastcgi_ignored_header(ngx_uint_t hash, ngx_uint_t header_params,
ngx_uint_t *ignored)
+{
+ ngx_uint_t n;
+
+ for (n = 0; n < header_params; n++) {
+ if (hash == ignored[n]) {
+ return NGX_OK;
+ }
+ }
+
+ return NGX_DECLINED;
+}
+
+
static ngx_int_t
ngx_http_fastcgi_create_request(ngx_http_request_t *r)
{
off_t file_pos;
- u_char ch, *pos, *lowcase_key;
- size_t size, len, key_len, val_len, padding,
- allocated;
- ngx_uint_t i, n, next, hash, header_params;
+ u_char ch, *pos;
+ size_t size, len, key_len, val_len, padding;
+ ngx_uint_t i, n, next, header_params, *ignored;
ngx_buf_t *b;
ngx_chain_t *cl, *body;
ngx_list_part_t *part;
- ngx_table_elt_t *header, **ignored;
+ ngx_table_elt_t *header;
ngx_http_script_code_pt code;
ngx_http_script_engine_t e, le;
ngx_http_fastcgi_header_t *h;
@@ -733,11 +750,8 @@

if (flcf->upstream.pass_request_headers) {

- allocated = 0;
- lowcase_key = NULL;
-
if (flcf->header_params) {
- ignored = ngx_palloc(r->pool, flcf->header_params * sizeof(void
*));
+ ignored = ngx_palloc(r->pool, flcf->header_params *
sizeof(ngx_uint_t));
if (ignored == NULL) {
return NGX_ERROR;
}
@@ -759,43 +773,21 @@
}

if (flcf->header_params) {
- if (allocated < header[i].key.len) {
- allocated = header[i].key.len + 16;
- lowcase_key = ngx_pnalloc(r->pool, allocated);
- if (lowcase_key == NULL) {
- return NGX_ERROR;
- }
- }

- hash = 0;
-
- for (n = 0; n < header[i].key.len; n++) {
- ch = header[i].key.data[n];
-
- if (ch >= 'A' && ch <= 'Z') {
- ch |= 0x20;
-
- } else if (ch == '-') {
- ch = '_';
+ if (ngx_hash_find(&flcf->headers_hash, header[i].hash,
+ header[i].lowcase_key,
header[i].key.len)) {
+ if (ngx_http_fastcgi_ignored_header(header[i].hash,
+ header_params, ignored) == NGX_OK) {
+ continue;
}
-
- hash = ngx_hash(hash, ch);
- lowcase_key[n] = ch;
- }
-
- if (ngx_hash_find(&flcf->headers_hash, hash, lowcase_key,
n)) {
- ignored[header_params++] = &header[i];
+ ignored[header_params++] = header[i].hash;
continue;
}
-
- n += sizeof("HTTP_") - 1;
-
- } else {
- n = sizeof("HTTP_") - 1 + header[i].key.len;
}
-
- len += ((n > 127) ? 4 : 1) + ((header[i].value.len > 127) ? 4 :
1)
- + n + header[i].value.len;
+
+ len += ((sizeof("HTTP_") - 1 + header[i].key.len > 127) ? 4 :
1)
+ + ((header[i].value.len > 127) ? 4 : 1)
+ + sizeof("HTTP_") - 1 + header[i].key.len +
header[i].value.len;
}
}

@@ -915,10 +907,9 @@
i = 0;
}

- for (n = 0; n < header_params; n++) {
- if (&header[i] == ignored[n]) {
- goto next;
- }
+ if (ngx_http_fastcgi_ignored_header(header[i].hash,
+ header_params, ignored) == NGX_OK) {
+ continue;
}

key_len = sizeof("HTTP_") - 1 + header[i].key.len;
@@ -964,8 +955,6 @@
"fastcgi param: \"%*s: %*s\"",
key_len, b->last - (key_len + val_len),
val_len, b->last - val_len);
- next:
-
continue;
}
}
@@ -2013,10 +2002,10 @@
ngx_http_fastcgi_loc_conf_t *prev = parent;
ngx_http_fastcgi_loc_conf_t *conf = child;

- u_char *p;
+ u_char ch, *p;
size_t size;
uintptr_t *code;
- ngx_uint_t i;
+ ngx_uint_t i, n, params_hash;
ngx_array_t headers_names;
ngx_keyval_t *src;
ngx_hash_key_t *hk;
@@ -2374,7 +2363,22 @@

hk->key.len = src[i].key.len - 5;
hk->key.data = src[i].key.data + 5;
- hk->key_hash = ngx_hash_key_lc(hk->key.data, hk->key.len);
+
+ params_hash = 0;
+ for (n = 5; n < src[i].key.len; n++) {
+ ch = src[i].key.data[n];
+
+ if (ch >= 'A' && ch <= 'Z') {
+ ch |= 0x20;
+
+ } else if (ch == '_') {
+ ch = '-';
+ }
+
+ params_hash = ngx_hash(params_hash, ch);
+ }
+
+ hk->key_hash = params_hash;
hk->value = (void *) 1;

if (src[i].value.len == 0) {

--
博观约取

豆瓣:www.douban.com/people/mustang/

blog: www.pagefault.info

twitter: www.twitter.com/minibobo

sina 微博: www.weibo.com/diaoliang
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 1571 May 31, 2011 12:26PM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin 597 May 31, 2011 07:58PM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 552 June 02, 2011 03:30AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin 558 June 02, 2011 05:54AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 570 June 10, 2011 02:54AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 522 June 10, 2011 04:58AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin 575 June 11, 2011 08:32AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 614 June 13, 2011 10:58AM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin 539 June 13, 2011 07:42PM

Re: [PATCH] Fastcgi: core dump was caused by duplicated request header

Simon Liu 685 June 15, 2011 03:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 110
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready