src/http/modules/ngx_http_proxy_module.c:645 in ngx_http_proxy_eval

For some service the proxy url is specified by user from arguments. after
ngx_http_script_run, proxy.len may be smaller than "http://" without the
terminating '\0'. For example, {len = 4, data = "http://abcdefg"}. It passes
the
schema check, but url.url.len = proxy.len - 7 becomes a very big number.
the process will core during later memcpy.

simple fix:

diff -ruN nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c
nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c
--- nginx-1.0.5/src/http/modules/ngx_http_proxy_module.c 2011-02-17
19:54:35.000000000 +0800
+++ nginx-1.0.5_zls/src/http/modules/ngx_http_proxy_module.c 2011-07-28
09:57:06.568333685 +0800
@@ -642,14 +642,14 @@
return NGX_ERROR;
}

- if (ngx_strncasecmp(proxy.data, (u_char *) "http://", 7) == 0) {
+ if (proxy.len > 7 && ngx_strncasecmp(proxy.data, (u_char *) "http://",
7) == 0) {

add = 7;
port = 80;

#if (NGX_HTTP_SSL)

- } else if (ngx_strncasecmp(proxy.data, (u_char *) "https://", 8) == 0)
{
+ } else if (proxy.len > 8 && ngx_strncasecmp(proxy.data, (u_char *)
"https://", 8) == 0) {

add = 8;
port = 443;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel