Proxy: fixed possible uninitialized memory access.

The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index cf7d677aebc17aac92eaf9b2e3e2af3259399474..ed596f8623e43fb5e37f02d232000e72cd1c98cf 100644 (file)
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -2365,7 +2365,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
 
     if (replacement->len > len) {
 
-        data = ngx_pnalloc(r->pool, new_len);
+        data = ngx_pnalloc(r->pool, new_len + 1);
         if (data == NULL) {
             return NGX_ERROR;
         }
@@ -2374,7 +2374,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
         p = ngx_copy(p, replacement->data, replacement->len);
 
         ngx_memcpy(p, h->value.data + prefix + len,
-                   h->value.len - len - prefix);
+                   h->value.len - len - prefix + 1);
 
         h->value.data = data;
 
@@ -2383,7 +2383,7 @@ ngx_http_proxy_rewrite(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix,
                      replacement->len);
 
         ngx_memmove(p, h->value.data + prefix + len,
-                    h->value.len - len - prefix);
+                    h->value.len - len - prefix + 1);
     }
 
     h->value.len = new_len;