diff options
| author | nginx <nginx@nginx.org> | 2014-03-18 16:43:46 +0000 |
|---|---|---|
| committer | Jon Kolb <kolbyjack@gmail.com> | 2014-03-18 16:43:46 +0000 |
| commit | 47c4fba86c48d7b8556c7f4d6d3773a25ab162fe (patch) | |
| tree | f45083ebcdfde566c3775457bfc35053af34b759 /src | |
| parent | 483f0cd547195b96550760fc5ab510eb67ec0160 (diff) | |
| download | nginx-1.4.tar.gz | |
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0133).
Thanks to Lucas Molas, researcher at Programa STIC, FundaciĆ³n Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Bugfix: in the "fastcgi_next_upstream" directive.
Thanks to Lucas Molas.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/nginx.h | 4 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_fastcgi_module.c | 11 | ||||
| -rw-r--r-- | src/http/ngx_http_spdy.c | 2 |
3 files changed, 14 insertions, 3 deletions
diff --git a/src/core/nginx.h b/src/core/nginx.h index 227e5f735..77c88bf5f 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1004006 -#define NGINX_VERSION "1.4.6" +#define nginx_version 1004007 +#define NGINX_VERSION "1.4.7" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index f386926da..e2427b4a8 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r) f->fastcgi_stdout = 0; f->large_stderr = 0; + if (f->split_parts) { + f->split_parts->nelts = 0; + } + r->state = 0; return NGX_OK; @@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r) rc = ngx_http_parse_header_line(r, &buf, 1); + if (rc != NGX_OK) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "invalid header after joining " + "FastCGI records"); + return NGX_ERROR; + } + h->key.len = r->header_name_end - r->header_name_start; h->key.data = r->header_name_start; h->key.data[h->key.len] = '\0'; diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index f4f610a82..99afbfca1 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1465,7 +1465,7 @@ static u_char * ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc, u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler) { -#if (NGX_DEBUG) +#if 1 if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) { ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0, "spdy state buffer overflow: " |