From 95a9cb94d56ab85c0fd7d765d97ae807a9333f9e Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Tue, 26 Dec 2017 17:18:57 +0300 Subject: [PATCH] HTTP parser: fixed memory overflow in the collisions test. The level hash uses the NULL value as the indicator of a free entry in a bucket. So, inserting a NULL value breaks the hash and can lead to a bucket overflow. In case of the collision counter, the value wasn't initialized, since it's not needed for the purpose of checking collisions. As a result, it might contain any garbage from the stack and in some rare cases the value was NULL. Now the value is initilized. --- src/nxt_http_parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c index 2913fa90..34d88839 100644 --- a/src/nxt_http_parse.c +++ b/src/nxt_http_parse.c @@ -1191,6 +1191,7 @@ nxt_http_fields_hash_collisions(nxt_lvlhsh_t *hash, nxt_mp_t *mp, } lhq.key_hash = nxt_http_field_hash_end(key) & mask; + lhq.value = &items[i]; if (nxt_lvlhsh_insert(hash, &lhq) == NXT_DECLINED) { colls++;