diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2020-11-17 20:54:10 +0000 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2020-11-17 20:54:10 +0000 |
| commit | 9129fb3db9e2f9899161e9573e7a19c774a0df6a (patch) | |
| tree | 07a6ba76d65b235cc56691e49ebcd3a95d62c1ac /src/http/v3/ngx_http_v3_parse.c | |
| parent | 49f0b0d99d70fa4e895b939a320c29df28a34fff (diff) | |
| download | nginx-9129fb3db9e2f9899161e9573e7a19c774a0df6a.tar.gz nginx-9129fb3db9e2f9899161e9573e7a19c774a0df6a.zip | |
HTTP/3: null-terminate empty header value.
Header value returned from the HTTP parser is expected to be null-terminated or
have a spare byte after the value bytes. When an empty header value was passed
by client in a literal header representation, neither was true. This could
result in segfault. The fix is to assign a literal empty null-terminated
string in this case.
Thanks to Andrey Kolyshkin.
Diffstat (limited to 'src/http/v3/ngx_http_v3_parse.c')
| -rw-r--r-- | src/http/v3/ngx_http_v3_parse.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/http/v3/ngx_http_v3_parse.c b/src/http/v3/ngx_http_v3_parse.c index d5ff3cb8f..afe442464 100644 --- a/src/http/v3/ngx_http_v3_parse.c +++ b/src/http/v3/ngx_http_v3_parse.c @@ -746,6 +746,7 @@ ngx_http_v3_parse_header_l(ngx_connection_t *c, st->literal.length = st->pint.value; if (st->literal.length == 0) { + st->value.data = (u_char *) ""; goto done; } |