security: applied the null-character-fixes patch from the mainstream. The bug did result in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information.

pull/14/head
agentzh (章亦春) 13 years ago
parent 2d3383ee54
commit deff21617c

@ -0,0 +1,113 @@
--- src/http/modules/ngx_http_fastcgi_module.c
+++ src/http/modules/ngx_http_fastcgi_module.c
@@ -1501,10 +1501,10 @@ ngx_http_fastcgi_process_header(ngx_http
h->lowcase_key = h->key.data + h->key.len + 1
+ h->value.len + 1;
- ngx_cpystrn(h->key.data, r->header_name_start,
- h->key.len + 1);
- ngx_cpystrn(h->value.data, r->header_start,
- h->value.len + 1);
+ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+ h->key.data[h->key.len] = '\0';
+ ngx_memcpy(h->value.data, r->header_start, h->value.len);
+ h->value.data[h->value.len] = '\0';
}
h->hash = r->header_hash;
--- src/http/modules/ngx_http_proxy_module.c
+++ src/http/modules/ngx_http_proxy_module.c
@@ -1381,8 +1381,10 @@ ngx_http_proxy_process_header(ngx_http_r
h->value.data = h->key.data + h->key.len + 1;
h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+ h->key.data[h->key.len] = '\0';
+ ngx_memcpy(h->value.data, r->header_start, h->value.len);
+ h->value.data[h->value.len] = '\0';
if (h->key.len == r->lowcase_index) {
ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
--- src/http/modules/ngx_http_scgi_module.c
+++ src/http/modules/ngx_http_scgi_module.c
@@ -941,8 +941,10 @@ ngx_http_scgi_process_header(ngx_http_re
h->value.data = h->key.data + h->key.len + 1;
h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+ h->key.data[h->key.len] = '\0';
+ ngx_memcpy(h->value.data, r->header_start, h->value.len);
+ h->value.data[h->value.len] = '\0';
if (h->key.len == r->lowcase_index) {
ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
--- src/http/modules/ngx_http_uwsgi_module.c
+++ src/http/modules/ngx_http_uwsgi_module.c
@@ -985,8 +985,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
h->value.data = h->key.data + h->key.len + 1;
h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+ h->key.data[h->key.len] = '\0';
+ ngx_memcpy(h->value.data, r->header_start, h->value.len);
+ h->value.data[h->value.len] = '\0';
if (h->key.len == r->lowcase_index) {
ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
--- src/http/ngx_http_parse.c
+++ src/http/ngx_http_parse.c
@@ -874,6 +874,10 @@ ngx_http_parse_header_line(ngx_http_requ
break;
}
+ if (ch == '\0') {
+ return NGX_HTTP_PARSE_INVALID_HEADER;
+ }
+
r->invalid_header = 1;
break;
@@ -936,6 +940,10 @@ ngx_http_parse_header_line(ngx_http_requ
break;
}
+ if (ch == '\0') {
+ return NGX_HTTP_PARSE_INVALID_HEADER;
+ }
+
r->invalid_header = 1;
break;
@@ -954,6 +962,8 @@ ngx_http_parse_header_line(ngx_http_requ
r->header_start = p;
r->header_end = p;
goto done;
+ case '\0':
+ return NGX_HTTP_PARSE_INVALID_HEADER;
default:
r->header_start = p;
state = sw_value;
@@ -975,6 +985,8 @@ ngx_http_parse_header_line(ngx_http_requ
case LF:
r->header_end = p;
goto done;
+ case '\0':
+ return NGX_HTTP_PARSE_INVALID_HEADER;
}
break;
@@ -988,6 +1000,8 @@ ngx_http_parse_header_line(ngx_http_requ
break;
case LF:
goto done;
+ case '\0':
+ return NGX_HTTP_PARSE_INVALID_HEADER;
default:
state = sw_value;
break;

@ -57,6 +57,9 @@ patch -p1 < $root/patches/nginx-$main_ver-allow_request_body_updating.patch || e
patch -p1 < $root/patches/nginx-$main_ver-log_escape_non_ascii.patch || exit 1
echo "INFO: applying null-character-fixes patch"
patch -p0 < $root/patches/nginx-$main_ver-null-character-fixes.patch || exit 1
#patch -p1 < $root/patches/nginx-$main_ver-gzip_ok_invalid_read_fix.patch || exit 1
rm -f *.patch || exit 1

Loading…
Cancel
Save