Welcome! Log In Create A New Profile

Advanced

[nginx] Overflow detection in ngx_http_parse_chunked().

Ruslan Ermilov
March 17, 2015 06:02AM
details: http://hg.nginx.org/nginx/rev/e370c5fdf4c8
branches:
changeset: 6014:e370c5fdf4c8
user: Ruslan Ermilov <ru@nginx.com>
date: Tue Mar 17 00:26:27 2015 +0300
description:
Overflow detection in ngx_http_parse_chunked().

diffstat:

src/http/ngx_http_parse.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 9653092a79fd -r e370c5fdf4c8 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Tue Mar 17 00:26:24 2015 +0300
+++ b/src/http/ngx_http_parse.c Tue Mar 17 00:26:27 2015 +0300
@@ -2155,6 +2155,10 @@ ngx_http_parse_chunked(ngx_http_request_
goto invalid;

case sw_chunk_size:
+ if (ctx->size > NGX_MAX_OFF_T_VALUE / 16) {
+ goto invalid;
+ }
+
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
@@ -2304,6 +2308,10 @@ data:
ctx->state = state;
b->pos = pos;

+ if (ctx->size > NGX_MAX_OFF_T_VALUE - 5) {
+ goto invalid;
+ }
+
switch (state) {

case sw_chunk_start:
@@ -2340,10 +2348,6 @@ data:

}

- if (ctx->size < 0 || ctx->length < 0) {
- goto invalid;
- }
-
return rc;

done:

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Overflow detection in ngx_http_parse_chunked().

Ruslan Ermilov 470 March 17, 2015 06:02AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 317
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready