diff options
| author | NGINX team <nginx@nginx.org> | 2012-04-12 13:05:40 +0000 |
|---|---|---|
| committer | Jon Kolb <jon@b0g.us> | 2012-04-12 13:05:40 +0000 |
| commit | ed2df87c83d3a68ab2a395d4c2549dbe26e86ab0 (patch) | |
| tree | ff91c69d84d5e4b84a15a12b873c3cb2193fd481 /src/core/ngx_inet.c | |
| parent | 60a50f7b445d1ac18ea0b1ff140745b6844c6794 (diff) | |
| download | nginx-1.1.tar.gz | |
*) Security: specially crafted mp4 file might allow to overwrite memory
locations in a worker process if the ngx_http_mp4_module was used,
potentially resulting in arbitrary code execution (CVE-2012-2089).
Thanks to Matthew Daley.
*) Bugfix: nginx/Windows might be terminated abnormally.
Thanks to Vincent Lee.
*) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
"backup".
*) Bugfix: the "allow" and "deny" directives might be inherited
incorrectly if they were used with IPv6 addresses.
*) Bugfix: the "modern_browser" and "ancient_browser" directives might
be inherited incorrectly.
*) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC.
*) Bugfix: in the ngx_http_mp4_module.
Diffstat (limited to 'src/core/ngx_inet.c')
| -rw-r--r-- | src/core/ngx_inet.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c index 2785c8c8c..d2bbbfb58 100644 --- a/src/core/ngx_inet.c +++ b/src/core/ngx_inet.c @@ -44,11 +44,7 @@ ngx_inet_addr(u_char *text, size_t len) return INADDR_NONE; } - if (n != 3) { - return INADDR_NONE; - } - - if (octet < 256) { + if (n == 3 && octet < 256) { addr = (addr << 8) + octet; return htonl(addr); } @@ -407,6 +403,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr) #if (NGX_HAVE_INET6) case AF_INET6: + if (shift > 128) { + return NGX_ERROR; + } + addr = cidr->u.in6.addr.s6_addr; mask = cidr->u.in6.mask.s6_addr; rc = NGX_OK; @@ -416,7 +416,7 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr) s = (shift > 8) ? 8 : shift; shift -= s; - mask[i] = (u_char) (0 - (1 << (8 - s))); + mask[i] = (u_char) (0xffu << (8 - s)); if (addr[i] != (addr[i] & mask[i])) { rc = NGX_DONE; @@ -428,9 +428,12 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr) #endif default: /* AF_INET */ + if (shift > 32) { + return NGX_ERROR; + } if (shift) { - cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift)))); + cidr->u.in.mask = htonl((uint32_t) (0xffffffffu << (32 - shift))); } else { /* x86 compilers use a shl instruction that shifts by modulo 32 */ @@ -459,7 +462,7 @@ ngx_parse_addr(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text, size_t len) struct sockaddr_in6 *sin6; /* - * prevent MSVC8 waring: + * prevent MSVC8 warning: * potentially uninitialized local variable 'inaddr6' used */ ngx_memzero(inaddr6.s6_addr, sizeof(struct in6_addr)); |