Mercurial > hg > nginx
view src/core/ngx_proxy_protocol.h @ 8164:b71e69247483
Variables: avoid possible buffer overrun with some "$sent_http_*".
The existing logic to evaluate multi header "$sent_http_*" variables,
such as $sent_http_cache_control, as previously introduced in 1.23.0,
doesn't take into account that one or more elements can be cleared,
yet still present in a linked list, pointed to by the next field.
Such elements don't contribute to the resulting variable length, an
attempt to append a separator for them ends up in out of bounds write.
This is not possible with standard modules, though at least one third
party module is known to override multi header values this way, so it
makes sense to harden the logic.
The fix restores a generic boundary check.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 01 May 2023 19:16:05 +0400 |
parents | 17d6a537fb1b |
children |
line wrap: on
line source
/* * Copyright (C) Roman Arutyunyan * Copyright (C) Nginx, Inc. */ #ifndef _NGX_PROXY_PROTOCOL_H_INCLUDED_ #define _NGX_PROXY_PROTOCOL_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #define NGX_PROXY_PROTOCOL_V1_MAX_HEADER 107 #define NGX_PROXY_PROTOCOL_MAX_HEADER 4096 struct ngx_proxy_protocol_s { ngx_str_t src_addr; ngx_str_t dst_addr; in_port_t src_port; in_port_t dst_port; ngx_str_t tlvs; }; u_char *ngx_proxy_protocol_read(ngx_connection_t *c, u_char *buf, u_char *last); u_char *ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last); ngx_int_t ngx_proxy_protocol_get_tlv(ngx_connection_t *c, ngx_str_t *name, ngx_str_t *value); #endif /* _NGX_PROXY_PROTOCOL_H_INCLUDED_ */