Welcome! Log In Create A New Profile

Advanced

[nginx] Core: overflow detection in number parsing functions.

Ruslan Ermilov
March 17, 2015 06:00AM
details: http://hg.nginx.org/nginx/rev/15a15f6ae3a2
branches:
changeset: 6009:15a15f6ae3a2
user: Ruslan Ermilov <ru@nginx.com>
date: Tue Mar 17 00:26:15 2015 +0300
description:
Core: overflow detection in number parsing functions.

diffstat:

src/core/ngx_parse.c | 25 +++++++-----
src/core/ngx_string.c | 99 +++++++++++++++++++++++++++++---------------------
2 files changed, 72 insertions(+), 52 deletions(-)

diffs (truncated from 317 to 300 lines):

diff -r b92d5a26d55f -r 15a15f6ae3a2 src/core/ngx_parse.c
--- a/src/core/ngx_parse.c Tue Mar 17 00:24:34 2015 +0300
+++ b/src/core/ngx_parse.c Tue Mar 17 00:26:15 2015 +0300
@@ -12,10 +12,9 @@
ssize_t
ngx_parse_size(ngx_str_t *line)
{
- u_char unit;
- size_t len;
- ssize_t size;
- ngx_int_t scale;
+ u_char unit;
+ size_t len;
+ ssize_t size, scale, max;

len = line->len;
unit = line->data[len - 1];
@@ -24,21 +23,24 @@ ngx_parse_size(ngx_str_t *line)
case 'K':
case 'k':
len--;
+ max = NGX_MAX_SIZE_T_VALUE / 1024;
scale = 1024;
break;

case 'M':
case 'm':
len--;
+ max = NGX_MAX_SIZE_T_VALUE / (1024 * 1024);
scale = 1024 * 1024;
break;

default:
+ max = NGX_MAX_SIZE_T_VALUE;
scale = 1;
}

size = ngx_atosz(line->data, len);
- if (size == NGX_ERROR) {
+ if (size == NGX_ERROR || size > max) {
return NGX_ERROR;
}

@@ -51,10 +53,9 @@ ngx_parse_size(ngx_str_t *line)
off_t
ngx_parse_offset(ngx_str_t *line)
{
- u_char unit;
- off_t offset;
- size_t len;
- ngx_int_t scale;
+ u_char unit;
+ off_t offset, scale, max;
+ size_t len;

len = line->len;
unit = line->data[len - 1];
@@ -63,27 +64,31 @@ ngx_parse_offset(ngx_str_t *line)
case 'K':
case 'k':
len--;
+ max = NGX_MAX_OFF_T_VALUE / 1024;
scale = 1024;
break;

case 'M':
case 'm':
len--;
+ max = NGX_MAX_OFF_T_VALUE / (1024 * 1024);
scale = 1024 * 1024;
break;

case 'G':
case 'g':
len--;
+ max = NGX_MAX_OFF_T_VALUE / (1024 * 1024 * 1024);
scale = 1024 * 1024 * 1024;
break;

default:
+ max = NGX_MAX_OFF_T_VALUE;
scale = 1;
}

offset = ngx_atoof(line->data, len);
- if (offset == NGX_ERROR) {
+ if (offset == NGX_ERROR || offset > max) {
return NGX_ERROR;
}

diff -r b92d5a26d55f -r 15a15f6ae3a2 src/core/ngx_string.c
--- a/src/core/ngx_string.c Tue Mar 17 00:24:34 2015 +0300
+++ b/src/core/ngx_string.c Tue Mar 17 00:26:15 2015 +0300
@@ -901,26 +901,28 @@ ngx_filename_cmp(u_char *s1, u_char *s2,
ngx_int_t
ngx_atoi(u_char *line, size_t n)
{
- ngx_int_t value;
+ ngx_int_t value, cutoff, cutlim;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_INT_T_VALUE / 10;
+ cutlim = NGX_MAX_INT_T_VALUE % 10;
+
for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') {
return NGX_ERROR;
}

+ if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+ return NGX_ERROR;
+ }
+
value = value * 10 + (*line - '0');
}

- if (value < 0) {
- return NGX_ERROR;
-
- } else {
- return value;
- }
+ return value;
}


@@ -929,13 +931,16 @@ ngx_atoi(u_char *line, size_t n)
ngx_int_t
ngx_atofp(u_char *line, size_t n, size_t point)
{
- ngx_int_t value;
+ ngx_int_t value, cutoff, cutlim;
ngx_uint_t dot;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_INT_T_VALUE / 10;
+ cutlim = NGX_MAX_INT_T_VALUE % 10;
+
dot = 0;

for (value = 0; n--; line++) {
@@ -957,98 +962,107 @@ ngx_atofp(u_char *line, size_t n, size_t
return NGX_ERROR;
}

+ if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+ return NGX_ERROR;
+ }
+
value = value * 10 + (*line - '0');
point -= dot;
}

while (point--) {
+ if (value > cutoff) {
+ return NGX_ERROR;
+ }
+
value = value * 10;
}

- if (value < 0) {
- return NGX_ERROR;
-
- } else {
- return value;
- }
+ return value;
}


ssize_t
ngx_atosz(u_char *line, size_t n)
{
- ssize_t value;
+ ssize_t value, cutoff, cutlim;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_SIZE_T_VALUE / 10;
+ cutlim = NGX_MAX_SIZE_T_VALUE % 10;
+
for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') {
return NGX_ERROR;
}

+ if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+ return NGX_ERROR;
+ }
+
value = value * 10 + (*line - '0');
}

- if (value < 0) {
- return NGX_ERROR;
-
- } else {
- return value;
- }
+ return value;
}


off_t
ngx_atoof(u_char *line, size_t n)
{
- off_t value;
+ off_t value, cutoff, cutlim;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_OFF_T_VALUE / 10;
+ cutlim = NGX_MAX_OFF_T_VALUE % 10;
+
for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') {
return NGX_ERROR;
}

+ if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+ return NGX_ERROR;
+ }
+
value = value * 10 + (*line - '0');
}

- if (value < 0) {
- return NGX_ERROR;
-
- } else {
- return value;
- }
+ return value;
}


time_t
ngx_atotm(u_char *line, size_t n)
{
- time_t value;
+ time_t value, cutoff, cutlim;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_TIME_T_VALUE / 10;
+ cutlim = NGX_MAX_TIME_T_VALUE % 10;
+
for (value = 0; n--; line++) {
if (*line < '0' || *line > '9') {
return NGX_ERROR;
}

+ if (value >= cutoff && (value > cutoff || *line - '0' > cutlim)) {
+ return NGX_ERROR;
+ }
+
value = value * 10 + (*line - '0');
}

- if (value < 0) {
- return NGX_ERROR;
-
- } else {
- return value;
- }
+ return value;
}


@@ -1056,13 +1070,19 @@ ngx_int_t
ngx_hextoi(u_char *line, size_t n)
{
u_char c, ch;
- ngx_int_t value;
+ ngx_int_t value, cutoff;

if (n == 0) {
return NGX_ERROR;
}

+ cutoff = NGX_MAX_INT_T_VALUE / 16;
+
for (value = 0; n--; line++) {
+ if (value > cutoff) {
+ return NGX_ERROR;
+ }
+

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Core: overflow detection in number parsing functions.

Ruslan Ermilov 485 March 17, 2015 06:00AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 323
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready