The ngx_http_slice_parse_content_range function assumes that the parsed buffer 
is null terminated. Since the buffer is an ngx_str_t, that assumption is false. 
If, by chance, the buffer is null terminated it is simply a matter of luck, and 
not design.

In particular, if the headers_out.content_range ngx_str_t was allocated in the 
ngx_http_range_filter_module then the buffer was allocated as a non-zero 
terminated buffer by ngx_pnalloc.

The fact that the buffer is not null terminated may lead to 
ngx_http_slice_parse_content_range returning an NGX_ERROR code after the buffer 
was successfully parsed, or, if
the caller is unfortunate, leading to a random memory access failure.

I've written a replacement function that uses the length of the ngx_str_t as a 
guard condition. This code works and passes all of the unit tests.

How should I submit the replacement?

Carey Gister
415-310-5304

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to