diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2013-08-15 19:14:58 +0400 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2013-08-15 19:14:58 +0400 |
| commit | 3be925b6e3c79a2030beaceb7feb0253e0ef17b5 (patch) | |
| tree | e0a5974ea044ce90b66cdf3f7691808aa7f841d7 /src | |
| parent | ef76fbebd6dc0b05a12ff3c19b70ab0ec9c118df (diff) | |
| download | nginx-3be925b6e3c79a2030beaceb7feb0253e0ef17b5.tar.gz nginx-3be925b6e3c79a2030beaceb7feb0253e0ef17b5.zip | |
SPDY: fixed corruption of headers with names longer than 255.
It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/ngx_http_spdy.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index f8136213a..d72bc3f7c 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -809,6 +809,8 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos, sc->zstream_in.next_in = pos; sc->zstream_in.avail_in = size; sc->zstream_in.next_out = buf->last; + + /* one byte is reserved for null-termination of the last header value */ sc->zstream_in.avail_out = buf->end - buf->last - 1; z = inflate(&sc->zstream_in, Z_NO_FLUSH); @@ -912,9 +914,14 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos, return ngx_http_spdy_state_headers_error(sc, pos, end); } + /* null-terminate the last processed header name or value */ + *buf->pos = '\0'; + buf = r->header_in; sc->zstream_in.next_out = buf->last; + + /* one byte is reserved for null-termination */ sc->zstream_in.avail_out = buf->end - buf->last - 1; z = inflate(&sc->zstream_in, Z_NO_FLUSH); @@ -996,6 +1003,9 @@ ngx_http_spdy_state_headers(ngx_http_spdy_connection_t *sc, u_char *pos, ngx_http_spdy_state_headers); } + /* null-terminate the last header value */ + *buf->pos = '\0'; + ngx_http_spdy_run_request(r); return ngx_http_spdy_state_complete(sc, pos, end); @@ -1936,6 +1946,9 @@ ngx_http_spdy_parse_header(ngx_http_request_t *r) return NGX_HTTP_PARSE_INVALID_HEADER; } + /* null-terminate the previous header value */ + *p = '\0'; + p += NGX_SPDY_NV_NLEN_SIZE; r->header_name_end = p + len; @@ -2005,6 +2018,9 @@ ngx_http_spdy_parse_header(ngx_http_request_t *r) return NGX_ERROR; } + /* null-terminate header name */ + *p = '\0'; + p += NGX_SPDY_NV_VLEN_SIZE; r->header_end = p + len; @@ -2163,11 +2179,9 @@ ngx_http_spdy_handle_request_header(ngx_http_request_t *r) h->key.len = r->lowcase_index; h->key.data = r->header_name_start; - h->key.data[h->key.len] = '\0'; h->value.len = r->header_size; h->value.data = r->header_start; - h->value.data[h->value.len] = '\0'; h->lowcase_key = h->key.data; |