Mercurial > hg > nginx

diff src/http/ngx_http_parse.c @ 6543:302ff40c9bc9
Added overflow checks for version numbers (ticket #762). Both minor and major versions are now limited to 999 maximum. In case of r->http_minor, this limit is already implied by the code. Major version, r->http_major, in theory can be up to 65535 with current code, but such values are very unlikely to become real (and, additionally, such values are not allowed by RFC 7230), so the same test was used for r->http_major.
author: Maxim Dounin <mdounin@mdounin.ru>
date: Wed, 18 May 2016 16:21:32 +0300
parents: e370c5fdf4c8
children: b3682580c1bd
--- a/src/http/ngx_http_parse.c	Wed May 18 15:57:30 2016 +0300
+++ b/src/http/ngx_http_parse.c	Wed May 18 16:21:32 2016 +0300
@@ -737,6 +737,10 @@
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
+            if (r->http_major > 99) {
+                return NGX_HTTP_PARSE_INVALID_REQUEST;
+            }
+
             r->http_major = r->http_major * 10 + ch - '0';
             break;
 
@@ -770,6 +774,10 @@
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
+            if (r->http_minor > 99) {
+                return NGX_HTTP_PARSE_INVALID_REQUEST;
+            }
+
             r->http_minor = r->http_minor * 10 + ch - '0';
             break;
 
@@ -1680,6 +1688,10 @@
                 return NGX_ERROR;
             }
 
+            if (r->http_major > 99) {
+                return NGX_ERROR;
+            }
+
             r->http_major = r->http_major * 10 + ch - '0';
             break;
 
@@ -1704,6 +1716,10 @@
                 return NGX_ERROR;
             }
 
+            if (r->http_minor > 99) {
+                return NGX_ERROR;
+            }
+
             r->http_minor = r->http_minor * 10 + ch - '0';
             break;
author	Maxim Dounin <mdounin@mdounin.ru>
date	Wed, 18 May 2016 16:21:32 +0300
parents	e370c5fdf4c8
children	b3682580c1bd