technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

HTTP parser: fixed memory overflow in the collisions test.

Browse Source 
The level hash uses the NULL value as the indicator of a free entry in a bucket.
So, inserting a NULL value breaks the hash and can lead to a bucket overflow.

In case of the collision counter, the value wasn't initialized, since it's not
needed for the purpose of checking collisions.  As a result, it might contain
any garbage from the stack and in some rare cases the value was NULL.

Now the value is initilized.
This commit is contained in:
Valentin Bartenev
2017-12-26 17:18:57 +03:00
parent 8830d73261
commit 95a9cb94d5
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/nxt_http_parse.c
View File

@@ -1191,6 +1191,7 @@ nxt_http_fields_hash_collisions(nxt_lvlhsh_t *hash, nxt_mp_t *mp,
} }
lhq.key_hash = nxt_http_field_hash_end(key) & mask; lhq.key_hash = nxt_http_field_hash_end(key) & mask;
lhq.value = &items[i];
if (nxt_lvlhsh_insert(hash, &lhq) == NXT_DECLINED) { if (nxt_lvlhsh_insert(hash, &lhq) == NXT_DECLINED) {
colls++; colls++;