details: https://hg.nginx.org/njs/rev/f75f670905f0 branches: changeset: 2339:f75f670905f0 user: Dmitry Volyntsev <xei...@nginx.com> date: Thu May 23 22:50:34 2024 -0700 description: Fetch: fixed heap-buffer-overflow in Headers.get().
Previously, when more than one header with the same name added to a Headers object and Headers.get() was used to get the the duplicate header heap-buffer-overflow occured. The overflow occurred due to an incorrect calculation of the combined header value's length. The issue was introduced in c43261bad627 (0.7.10). diffstat: nginx/ngx_js_fetch.c | 31 ++++++++++--------------------- 1 files changed, 10 insertions(+), 21 deletions(-) diffs (60 lines): diff -r 437fc09db765 -r f75f670905f0 nginx/ngx_js_fetch.c --- a/nginx/ngx_js_fetch.c Thu May 23 22:50:19 2024 -0700 +++ b/nginx/ngx_js_fetch.c Thu May 23 22:50:34 2024 -0700 @@ -3181,9 +3181,8 @@ static njs_int_t ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name, njs_value_t *retval, njs_bool_t as_array) { - u_char *data, *p; - size_t len; njs_int_t rc; + njs_chb_t chain; ngx_uint_t i; ngx_js_tb_elt_t *h, *ph; ngx_list_part_t *part; @@ -3254,36 +3253,26 @@ ngx_headers_js_get(njs_vm_t *vm, njs_val return NJS_DECLINED; } - len = 0; + NJS_CHB_MP_INIT(&chain, vm); + h = ph; - while (ph != NULL) { - len = ph->value.len + njs_length(", "); - ph = ph->next; - } - - len -= njs_length(", "); - - data = njs_mp_alloc(njs_vm_memory_pool(vm), len); - if (data == NULL) { - njs_vm_memory_error(vm); - return NJS_ERROR; - } - - p = data; - for ( ;; ) { - p = ngx_cpymem(p, h->value.data, h->value.len); + njs_chb_append(&chain, h->value.data, h->value.len); if (h->next == NULL) { break; } - *p++ = ','; *p++ = ' '; + njs_chb_append_literal(&chain, ", "); h = h->next; } - return njs_vm_value_string_create(vm, retval, data, p - data); + rc = njs_vm_value_string_create_chb(vm, retval, &chain); + + njs_chb_destroy(&chain); + + return rc; } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel