IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-23 07:33:29 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added overflow checks for version numbers (ticket #762).

Browse Source 
Both minor and major versions are now limited to 999 maximum.  In case of
r->http_minor, this limit is already implied by the code.  Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
This commit is contained in:
Maxim Dounin 2016-05-18 16:21:32 +03:00
parent ce9ff81b32
commit e647c47f2a
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/http/ngx_http_parse.c
View File

@ -737,6 +737,10 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
if (r->http_major > 99) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
r->http_major = r->http_major * 10 + ch - '0';
break;
@ -770,6 +774,10 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
if (r->http_minor > 99) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
r->http_minor = r->http_minor * 10 + ch - '0';
break;
@ -1680,6 +1688,10 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
return NGX_ERROR;
}
if (r->http_major > 99) {
return NGX_ERROR;
}
r->http_major = r->http_major * 10 + ch - '0';
break;
@ -1704,6 +1716,10 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
return NGX_ERROR;
}
if (r->http_minor > 99) {
return NGX_ERROR;
}
r->http_minor = r->http_minor * 10 + ch - '0';
break;