Changes with nginx 0.6.39 14 Sep 2009v0.6.39 nginx-0.6

*) Security: a segmentation fault might occur in worker process while specially crafted request handling. Thanks to Chris Ries. *) Bugfix: a segmentation fault might occur in worker process, if error_log was set to info or debug level. Thanks to Sergey Bochenkov.
author: Igor Sysoev <igor@sysoev.ru> 2009-09-14 13:13:27 +0000
committer: Jonathan Kolb <jon@b0g.us> 2009-09-14 13:13:27 +0000
commit: 6dc552f6eaa0454716cd6dbccdf74e71f96fba5a (patch)
tree: 3371e87e6ce2dad726b9ea6a86f83a864976c7e1
parent: 54ac043bb002bc99c210332a03a4bd67466f79ac (diff)
download: nginx-0.6.tar.gz
5 files changed, 39 insertions, 13 deletions
diff --git a/CHANGES b/CHANGES
index f398ff76c..2836e1aed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+Changes with nginx 0.6.39                                        14 Sep 2009
+
+    *) Security: a segmentation fault might occur in worker process while 
+       specially crafted request handling.
+       Thanks to Chris Ries.
+
+    *) Bugfix: a segmentation fault might occur in worker process, if 
+       error_log was set to info or debug level.
+       Thanks to Sergey Bochenkov.
+
+
 Changes with nginx 0.6.38                                        22 Jun 2009
 
     *) Feature: the "keepalive_requests" directive.
@@ -1021,8 +1032,8 @@ Changes with nginx 0.5.12                                        12 Feb 2007
        amd64, sparc, and ppc; the bug had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
-       temporarily files were used while working with FastCGI server; the 
-       bug had appeared in 0.5.8.
+       temporary files were used while working with FastCGI server; the bug 
+       had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
        $fastcgi_script_name variable was logged.
@@ -1925,8 +1936,8 @@ Changes with nginx 0.3.31                                        10 Mar 2006
        in 0.3.18.
 
     *) Bugfix: if the HTTPS protocol was used in the "proxy_pass" directive 
-       and the request body was in temporarily file then the request was 
-       not transferred.
+       and the request body was in temporary file then the request was not 
+       transferred.
 
     *) Bugfix: perl 5.8.8 compatibility.
 
diff --git a/CHANGES.ru b/CHANGES.ru
index a4140596a..3a99158a1 100644
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,15 @@
 
+Изменения в nginx 0.6.39                                          14.09.2009
+
+    *) Безопасность: при обработке специально созданного запроса в рабочем 
+       процессе мог произойти segmentation fault.
+       Спасибо Chris Ries.
+
+    *) Исправление: при использовании error_log на уровне info или debug в 
+       рабочем процессе мог произойти segmentation fault.
+       Спасибо Сергею Боченкову.
+
+
 Изменения в nginx 0.6.38                                          22.06.2009
 
     *) Добавление: директива keepalive_requests.
diff --git a/src/core/nginx.h b/src/core/nginx.h
index f386edec5..1d023ce8e 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -8,8 +8,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version       006038
-#define NGINX_VERSION      "0.6.38"
+#define nginx_version       006039
+#define NGINX_VERSION      "0.6.39"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm
index 95ef2f0dc..a63a3834f 100644
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -47,7 +47,7 @@ our @EXPORT = qw(
     HTTP_INSUFFICIENT_STORAGE
 );
 
-our $VERSION = '0.6.38';
+our $VERSION = '0.6.39';
 
 require XSLoader;
 XSLoader::load('nginx', $VERSION);
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 7975361c4..87fda2b61 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -738,6 +738,7 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b)
 
         /* first char */
         case sw_start:
+            r->header_name_start = p;
             r->invalid_header = 0;
 
             switch (ch) {
@@ -750,7 +751,6 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b)
                 goto header_done;
             default:
                 state = sw_name;
-                r->header_name_start = p;
 
                 c = lowcase[ch];
 
@@ -1123,11 +1123,15 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;
author	Igor Sysoev <igor@sysoev.ru>	2009-09-14 13:13:27 +0000
committer	Jonathan Kolb <jon@b0g.us>	2009-09-14 13:13:27 +0000
commit	6dc552f6eaa0454716cd6dbccdf74e71f96fba5a (patch)
tree	3371e87e6ce2dad726b9ea6a86f83a864976c7e1
parent	54ac043bb002bc99c210332a03a4bd67466f79ac (diff)
download	nginx-0.6.tar.gz