From c3aed0a23392a509f64b740064f5f6633e8c89d8 Mon Sep 17 00:00:00 2001
From: Piotr Sikora <piotrsikora@google.com>
Date: Fri, 26 Feb 2016 17:30:27 -0800
Subject: [PATCH] Core: allow strings without null-termination in
 ngx_parse_url().

This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
---
 src/core/ngx_inet.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
index 96a04fded..3bbadb8b8 100644
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -529,14 +529,16 @@ ngx_int_t
 ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u)
 {
     u_char  *p;
+    size_t   len;
 
     p = u->url.data;
+    len = u->url.len;
 
-    if (ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) {
+    if (len >= 5 && ngx_strncasecmp(p, (u_char *) "unix:", 5) == 0) {
         return ngx_parse_unix_domain_url(pool, u);
     }
 
-    if (p[0] == '[') {
+    if (len && p[0] == '[') {
         return ngx_parse_inet6_url(pool, u);
     }