Mercurial > hg > nginx
view src/core/ngx_crc.h @ 8164:b71e69247483
Variables: avoid possible buffer overrun with some "$sent_http_*".
The existing logic to evaluate multi header "$sent_http_*" variables,
such as $sent_http_cache_control, as previously introduced in 1.23.0,
doesn't take into account that one or more elements can be cleared,
yet still present in a linked list, pointed to by the next field.
Such elements don't contribute to the resulting variable length, an
attempt to append a separator for them ends up in out of bounds write.
This is not possible with standard modules, though at least one third
party module is known to override multi header values this way, so it
makes sense to harden the logic.
The fix restores a generic boundary check.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 01 May 2023 19:16:05 +0400 |
parents | d620f497c50f |
children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_CRC_H_INCLUDED_ #define _NGX_CRC_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> /* 32-bit crc16 */ static ngx_inline uint32_t ngx_crc(u_char *data, size_t len) { uint32_t sum; for (sum = 0; len; len--) { /* * gcc 2.95.2 x86 and icc 7.1.006 compile * that operator into the single "rol" opcode, * msvc 6.0sp2 compiles it into four opcodes. */ sum = sum >> 1 | sum << 31; sum += *data++; } return sum; } #endif /* _NGX_CRC_H_INCLUDED_ */