Added overflow checks for version numbers (ticket #762).

Both minor and major versions are now limited to 999 maximum.  In case of
r->http_minor, this limit is already implied by the code.  Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 0e0b3a237725c180e8a3c7d8d31e759a2a57819a..59aa1fea92bf9d8c2df4c6757013dcf41ff85f40 100644 (file)
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -737,6 +737,10 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
+            if (r->http_major > 99) {
+                return NGX_HTTP_PARSE_INVALID_REQUEST;
+            }
+
             r->http_major = r->http_major * 10 + ch - '0';
             break;
 
@@ -770,6 +774,10 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                 return NGX_HTTP_PARSE_INVALID_REQUEST;
             }
 
+            if (r->http_minor > 99) {
+                return NGX_HTTP_PARSE_INVALID_REQUEST;
+            }
+
             r->http_minor = r->http_minor * 10 + ch - '0';
             break;
 
@@ -1680,6 +1688,10 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
                 return NGX_ERROR;
             }
 
+            if (r->http_major > 99) {
+                return NGX_ERROR;
+            }
+
             r->http_major = r->http_major * 10 + ch - '0';
             break;
 
@@ -1704,6 +1716,10 @@ ngx_http_parse_status_line(ngx_http_request_t *r, ngx_buf_t *b,
                 return NGX_ERROR;
             }
 
+            if (r->http_minor > 99) {
+                return NGX_ERROR;
+            }
+
             r->http_minor = r->http_minor * 10 + ch - '0';
             break;