details: http://hg.nginx.org/nginx/rev/302ff40c9bc9
branches:
changeset: 6543:302ff40c9bc9
user: Maxim Dounin <mdounin@mdounin.ru>
date: Wed May 18 16:21:32 2016 +0300
description:
Added overflow checks for version numbers (ticket #762).

Both minor and major versions are now limited to 999 maximum. In case of
r->http_minor, this limit is already implied by the code. Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.

diffstat:

src/http/ngx_http_parse.c | 16 ++++++++++++++++
1 files changed, 16 insertions(+), 0 deletions(-)

diffs (47 lines):

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -737,6 +737,10 @@ ngx_http_parse_request_line(ngx_http_req
return NGX_HTTP_PARSE_INVALID_REQUEST;
}

+ if (r->http_major > 99) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+
r->http_major = r->http_major * 10 + ch - '0';
break;

@@ -770,6 +774,10 @@ ngx_http_parse_request_line(ngx_http_req
return NGX_HTTP_PARSE_INVALID_REQUEST;
}

+ if (r->http_minor > 99) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+
r->http_minor = r->http_minor * 10 + ch - '0';
break;

@@ -1680,6 +1688,10 @@ ngx_http_parse_status_line(ngx_http_requ
return NGX_ERROR;
}

+ if (r->http_major > 99) {
+ return NGX_ERROR;
+ }
+
r->http_major = r->http_major * 10 + ch - '0';
break;

@@ -1704,6 +1716,10 @@ ngx_http_parse_status_line(ngx_http_requ
return NGX_ERROR;
}

+ if (r->http_minor > 99) {
+ return NGX_ERROR;
+ }
+
r->http_minor = r->http_minor * 10 + ch - '0';
break;


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel