If URI is not fully parsed yet, the r->uri_end pointer is NULL.
As a result, calculation of "new + (r->uri_end - old)" expression
may overflow. In such case, just avoid calculating it, as r->uri_end
will be set correctly later by the parser in any case.
The issue was found by GCC undefined behaviour sanitizer.
src/http/ngx_http_request.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
# HG changeset patch
# User Vladimir Khomutov <v...@wbsrv.ru>
# Date 1698407686 -10800
# Fri Oct 27 14:54:46 2023 +0300
# Node ID 1b28902de1c648fc2586bba8e05c2ff63e0e33cb
# Parent ef9f124b156aff0e9f66057e438af835bd7a60d2
HTTP: suppressed possible overflow in interim r->uri_end calculation.
If URI is not fully parsed yet, the r->uri_end pointer is NULL.
As a result, calculation of "new + (r->uri_end - old)" expression
may overflow. In such case, just avoid calculating it, as r->uri_end
will be set correctly later by the parser in any case.
The issue was found by GCC undefined behaviour sanitizer.
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1721,7 +1721,9 @@ ngx_http_alloc_large_header_buffer(ngx_h
r->method_end = new + (r->method_end - old);
r->uri_start = new + (r->uri_start - old);
- r->uri_end = new + (r->uri_end - old);
+ if (r->uri_end) {
+ r->uri_end = new + (r->uri_end - old);
+ }
if (r->schema_start) {
r->schema_start = new + (r->schema_start - old);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
