On Monday 25 June 2012 18:42:31 Piotr Sikora wrote:
> commit 13d9f7edd9ad88e2bb1fb32a61b439c332c04076
> Author: Piotr Sikora <piotr.sikora@frickle.com>
> Date: Mon Jun 25 14:32:33 2012 +0000
>
> Kill unsafe version of ngx_spdy_frame_write_len macro.
>
> This macro was accessing 4 bytes (via both: cast to uint32_t and
> read of p[3]), instead of 3 bytes it was supposed to, which could
> result in reads outside of the allocated memory region and SIGSEGV.
>
> Signed-off-by: Piotr Sikora <piotr.sikora@frickle.com>

Patch was accepted. Thanks.

wbr, Valentin V. Bartenev


> diff --git a/src/http/ngx_http_spdy.h b/src/http/ngx_http_spdy.h
> index b26e05d..018624b 100644
> --- a/src/http/ngx_http_spdy.h
> +++ b/src/http/ngx_http_spdy.h
> @@ -112,9 +112,6 @@ void
> ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
> #define ngx_spdy_frame_write_uint32(p, s)
> \ (*(uint32_t *) (p) = htonl(s), (p) + 4)
>
> -#define ngx_spdy_frame_write_len(p, s)
> \ - (*(uint32_t *) (p) = htonl(((s) << 8) | (p)[3]), (p) + 3)
> -
> #define ngx_spdy_frame_write_len_unsafe(p, s)
> \ (*(uint32_t *) (p) = htonl((s) << 8), (p) + 3)
>
> @@ -131,13 +128,13 @@ void
> ngx_http_spdy_filter_free_data_frame(ngx_http_spdy_frame_chain_t *frame);
> (p)[2] = (u_char) (s) >> 8,
> \ (p)[3] = (u_char) (s), (p) + 4)
>
> +#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
> +
> +#endif
> +
> #define ngx_spdy_frame_write_len(p, s)
> \ ((p)[0] = (u_char) ((s) >> 16),
> \ (p)[1] = (u_char) ((s) >> 8),
> \ (p)[2] = (u_char) (s), (p) + 3)
>
> -#define ngx_spdy_frame_write_len_unsafe ngx_spdy_frame_write_len
> -
> -#endif
> -
> #endif /* _NGX_HTTP_SPDY_H_INCLUDED_ */
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel