rpms/nginx
7
0
Fork 2
Code Issues Pull Requests Releases Activity
a9
nginx/SOURCES/0021-Rewrite-fix-buffer-overflow-with-overlapping-capture.patch
AlmaLinux RelEng Bot 73a06fa612 import UBI nginx-1.20.1-28.el9_8.3
2026-06-24 20:12:23 -04:00

73 lines
2.5 KiB
Diff
Raw Permalink Blame History

From 63505bbd21c6ed3a2e6fafdaa1ed305ddbf3e81e Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Thu, 14 May 2026 18:42:18 +0400
Subject: [PATCH] Rewrite: fix buffer overflow with overlapping captures
When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string. This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.
The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":
location / {
rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
return 200 foo;
}
location / {
rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
return 200 foo;
}
Reported by Mufeed VH of Winfunc Research.
---
src/http/ngx_http_script.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index 302f842..d13ca2d 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -999,6 +999,8 @@ ngx_http_script_start_args_code(ngx_http_script_engine_t *e)
void
ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
{
+ int *cap;
+ u_char *p;
size_t len;
ngx_int_t rc;
ngx_uint_t n;
@@ -1105,15 +1107,19 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
if (code->lengths == NULL) {
e->buf.len = code->size;
- if (code->uri) {
- if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) {
- e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len,
- NGX_ESCAPE_ARGS);
- }
- }
+ cap = r->captures;
+ p = r->captures_data;
for (n = 2; n < r->ncaptures; n += 2) {
- e->buf.len += r->captures[n + 1] - r->captures[n];
+ e->buf.len += cap[n + 1] - cap[n];
+
+ if (code->uri) {
+ if (r->quoted_uri || r->plus_in_uri) {
+ e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]],
+ cap[n + 1] - cap[n],
+ NGX_ESCAPE_ARGS);
+ }
+ }
}
} else {
--
2.44.0
Reference in New Issue View Git Blame Copy Permalink