[njs] Fetch: fixed heap-buffer-overflow in Headers.get().

Fri, 24 May 2024 16:02:05 -0700 

details:   https://hg.nginx.org/njs/rev/f75f670905f0
branches:  
changeset: 2339:f75f670905f0
user:      Dmitry Volyntsev <xei...@nginx.com>
date:      Thu May 23 22:50:34 2024 -0700
description:
Fetch: fixed heap-buffer-overflow in Headers.get().

Previously, when more than one header with the same name added to a
Headers object and Headers.get() was used to get the the duplicate
header heap-buffer-overflow occured. The overflow occurred due to an
incorrect calculation of the combined header value's length.

The issue was introduced in c43261bad627 (0.7.10).

diffstat:

 nginx/ngx_js_fetch.c |  31 ++++++++++---------------------
 1 files changed, 10 insertions(+), 21 deletions(-)

diffs (60 lines):

diff -r 437fc09db765 -r f75f670905f0 nginx/ngx_js_fetch.c
--- a/nginx/ngx_js_fetch.c      Thu May 23 22:50:19 2024 -0700
+++ b/nginx/ngx_js_fetch.c      Thu May 23 22:50:34 2024 -0700
@@ -3181,9 +3181,8 @@ static njs_int_t
 ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name,
     njs_value_t *retval, njs_bool_t as_array)
 {
-    u_char            *data, *p;
-    size_t             len;
     njs_int_t          rc;
+    njs_chb_t          chain;
     ngx_uint_t         i;
     ngx_js_tb_elt_t   *h, *ph;
     ngx_list_part_t   *part;
@@ -3254,36 +3253,26 @@ ngx_headers_js_get(njs_vm_t *vm, njs_val
         return NJS_DECLINED;
     }
 
-    len = 0;
+    NJS_CHB_MP_INIT(&chain, vm);
+
     h = ph;
 
-    while (ph != NULL) {
-        len = ph->value.len + njs_length(", ");
-        ph = ph->next;
-    }
-
-    len -= njs_length(", ");
-
-    data = njs_mp_alloc(njs_vm_memory_pool(vm), len);
-    if (data == NULL) {
-        njs_vm_memory_error(vm);
-        return NJS_ERROR;
-    }
-
-    p = data;
-
     for ( ;; ) {
-        p = ngx_cpymem(p, h->value.data, h->value.len);
+        njs_chb_append(&chain, h->value.data, h->value.len);
 
         if (h->next == NULL) {
             break;
         }
 
-        *p++ = ','; *p++ = ' ';
+        njs_chb_append_literal(&chain, ", ");
         h = h->next;
     }
 
-    return njs_vm_value_string_create(vm, retval, data, p - data);
+    rc = njs_vm_value_string_create_chb(vm, retval, &chain);
+
+    njs_chb_destroy(&chain);
+
+    return rc;
 }
 
 
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to