diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2017-12-26 17:18:57 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2017-12-26 17:18:57 +0300 |
| commit | 95a9cb94d56ab85c0fd7d765d97ae807a9333f9e (patch) | |
| tree | c21613eb8940a61eee04513715b3e0c825761c98 | |
| parent | 8830d732614276b015c56fec2fb3cb77de9f8441 (diff) | |
| download | unit-95a9cb94d56ab85c0fd7d765d97ae807a9333f9e.tar.gz unit-95a9cb94d56ab85c0fd7d765d97ae807a9333f9e.tar.bz2 | |
HTTP parser: fixed memory overflow in the collisions test.
The level hash uses the NULL value as the indicator of a free entry in a bucket.
So, inserting a NULL value breaks the hash and can lead to a bucket overflow.
In case of the collision counter, the value wasn't initialized, since it's not
needed for the purpose of checking collisions. As a result, it might contain
any garbage from the stack and in some rare cases the value was NULL.
Now the value is initilized.
| -rw-r--r-- | src/nxt_http_parse.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c index 2913fa90..34d88839 100644 --- a/src/nxt_http_parse.c +++ b/src/nxt_http_parse.c @@ -1191,6 +1191,7 @@ nxt_http_fields_hash_collisions(nxt_lvlhsh_t *hash, nxt_mp_t *mp, } lhq.key_hash = nxt_http_field_hash_end(key) & mask; + lhq.value = &items[i]; if (nxt_lvlhsh_insert(hash, &lhq) == NXT_DECLINED) { colls++; |