Author: mdounin
Date: 2012-03-15 11:23:07 +0000 (Thu, 15 Mar 2012)
New Revision: 4529

Log:
Fixed ssi and perl interaction.

Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.

While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.

Reported by Matthew Daley.


Modified:
trunk/src/http/modules/ngx_http_ssi_filter_module.c

Modified: trunk/src/http/modules/ngx_http_ssi_filter_module.c
===================================================================
--- trunk/src/http/modules/ngx_http_ssi_filter_module.c 2012-03-15 11:21:54 UTC (rev 4528)
+++ trunk/src/http/modules/ngx_http_ssi_filter_module.c 2012-03-15 11:23:07 UTC (rev 4529)
@@ -1204,7 +1204,7 @@

if (ctx->value_buf == NULL) {
ctx->param->value.data = ngx_pnalloc(r->pool,
- ctx->value_len);
+ ctx->value_len + 1);
if (ctx->param->value.data == NULL) {
return NGX_ERROR;
}
@@ -1375,6 +1375,16 @@
case ssi_quoted_symbol_state:
state = ctx->saved_state;

+ if (ctx->param->value.len == ctx->value_len) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long \"%V%c...\" value of \"%V\" "
+ "parameter in \"%V\" SSI command",
+ &ctx->param->value, ch, &ctx->param->key,
+ &ctx->command);
+ state = ssi_error_state;
+ break;
+ }
+
ctx->param->value.data[ctx->param->value.len++] = ch;

break;
@@ -2886,7 +2896,7 @@
prev->ignore_recycled_buffers, 0);

ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024);
- ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256);
+ ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255);

if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
&prev->types_keys, &prev->types,

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel