From: Valentin Bartenev Date: Sun, 17 Nov 2013 23:06:45 +0000 (+0400) Subject: Proxy: fixed possible uninitialized memory access. X-Git-Tag: release-1.7.1~35 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=b53306815ecb226c6ae0dd9729a7a0af0043b4d4;p=nginx.git Proxy: fixed possible uninitialized memory access. The ngx_http_proxy_rewrite_cookie() function expects the value of the "Set-Cookie" header to be null-terminated, and for headers obtained from proxied server it is usually true. Now the ngx_http_proxy_rewrite() function preserves the null character while rewriting headers. This fixes accessing memory outside of rewritten value if both the "proxy_cookie_path" and "proxy_cookie_domain" directives are used in the same location. --- diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index cf7d677ae..ed596f862 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix, if (replacement->len > len) { - data = ngx_pnalloc(r->pool, new_len); + data = ngx_pnalloc(r->pool, new_len + 1); if (data == NULL) { return NGX_ERROR; } @@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix, p = ngx_copy(p, replacement->data, replacement->len); ngx_memcpy(p, h->value.data + prefix + len, - h->value.len - len - prefix); + h->value.len - len - prefix + 1); h->value.data = data; @@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix, replacement->len); ngx_memmove(p, h->value.data + prefix + len, - h->value.len - len - prefix); + h->value.len - len - prefix + 1); } h->value.len = new_len;