diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2016-02-24 16:01:23 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2016-02-24 16:01:23 +0300 |
| commit | 1d294eea3eff92d62057eecdba5024cf273b76ca (patch) | |
| tree | 7571132be835bb194a80b5b42ae9c81a529955a0 | |
| parent | 4275d0a8a00090b31d34ace8ddc95412cc6c700a (diff) | |
| download | nginx-1d294eea3eff92d62057eecdba5024cf273b76ca.tar.gz nginx-1d294eea3eff92d62057eecdba5024cf273b76ca.zip | |
Fixed buffer over-read while logging invalid request headers.
Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return
NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character. In this
case the r->header_end pointer isn't properly initialized, but the log message
in ngx_http_process_request_headers() hasn't been adjusted. It used the pointer
in size calculation, which might result in up to 2k buffer over-read.
Found with afl-fuzz.
| -rw-r--r-- | src/http/ngx_http_request.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 99e932509..5a39c118a 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1351,12 +1351,11 @@ ngx_http_process_request_headers(ngx_event_t *rev) continue; } - /* rc == NGX_HTTP_PARSE_INVALID_HEADER: "\r" is not followed by "\n" */ + /* rc == NGX_HTTP_PARSE_INVALID_HEADER */ ngx_log_error(NGX_LOG_INFO, c->log, 0, - "client sent invalid header line: \"%*s\\r...\"", - r->header_end - r->header_name_start, - r->header_name_start); + "client sent invalid header line"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); return; } |