Mercurial > hg > nginx
view src/core/ngx_regex.h @ 8164:b71e69247483
Variables: avoid possible buffer overrun with some "$sent_http_*".
The existing logic to evaluate multi header "$sent_http_*" variables,
such as $sent_http_cache_control, as previously introduced in 1.23.0,
doesn't take into account that one or more elements can be cleared,
yet still present in a linked list, pointed to by the next field.
Such elements don't contribute to the resulting variable length, an
attempt to append a separator for them ends up in out of bounds write.
This is not possible with standard modules, though at least one third
party module is known to override multi header values this way, so it
makes sense to harden the logic.
The fix restores a generic boundary check.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Mon, 01 May 2023 19:16:05 +0400 |
parents | d07456044b61 |
children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_REGEX_H_INCLUDED_ #define _NGX_REGEX_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #if (NGX_PCRE2) #define PCRE2_CODE_UNIT_WIDTH 8 #include <pcre2.h> #define NGX_REGEX_NO_MATCHED PCRE2_ERROR_NOMATCH /* -1 */ typedef pcre2_code ngx_regex_t; #else #include <pcre.h> #define NGX_REGEX_NO_MATCHED PCRE_ERROR_NOMATCH /* -1 */ typedef struct { pcre *code; pcre_extra *extra; } ngx_regex_t; #endif #define NGX_REGEX_CASELESS 0x00000001 #define NGX_REGEX_MULTILINE 0x00000002 typedef struct { ngx_str_t pattern; ngx_pool_t *pool; ngx_uint_t options; ngx_regex_t *regex; int captures; int named_captures; int name_size; u_char *names; ngx_str_t err; } ngx_regex_compile_t; typedef struct { ngx_regex_t *regex; u_char *name; } ngx_regex_elt_t; void ngx_regex_init(void); ngx_int_t ngx_regex_compile(ngx_regex_compile_t *rc); ngx_int_t ngx_regex_exec(ngx_regex_t *re, ngx_str_t *s, int *captures, ngx_uint_t size); #if (NGX_PCRE2) #define ngx_regex_exec_n "pcre2_match()" #else #define ngx_regex_exec_n "pcre_exec()" #endif ngx_int_t ngx_regex_exec_array(ngx_array_t *a, ngx_str_t *s, ngx_log_t *log); #endif /* _NGX_REGEX_H_INCLUDED_ */