summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorValentin Bartenev <vbart@nginx.com>2017-12-26 17:18:57 +0300
committerValentin Bartenev <vbart@nginx.com>2017-12-26 17:18:57 +0300
commit95a9cb94d56ab85c0fd7d765d97ae807a9333f9e (patch)
treec21613eb8940a61eee04513715b3e0c825761c98 /src
parent8830d732614276b015c56fec2fb3cb77de9f8441 (diff)
downloadunit-95a9cb94d56ab85c0fd7d765d97ae807a9333f9e.tar.gz
unit-95a9cb94d56ab85c0fd7d765d97ae807a9333f9e.tar.bz2
HTTP parser: fixed memory overflow in the collisions test.
The level hash uses the NULL value as the indicator of a free entry in a bucket. So, inserting a NULL value breaks the hash and can lead to a bucket overflow. In case of the collision counter, the value wasn't initialized, since it's not needed for the purpose of checking collisions. As a result, it might contain any garbage from the stack and in some rare cases the value was NULL. Now the value is initilized.
Diffstat (limited to '')
-rw-r--r--src/nxt_http_parse.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c
index 2913fa90..34d88839 100644
--- a/src/nxt_http_parse.c
+++ b/src/nxt_http_parse.c
@@ -1191,6 +1191,7 @@ nxt_http_fields_hash_collisions(nxt_lvlhsh_t *hash, nxt_mp_t *mp,
}
lhq.key_hash = nxt_http_field_hash_end(key) & mask;
+ lhq.value = &items[i];
if (nxt_lvlhsh_insert(hash, &lhq) == NXT_DECLINED) {
colls++;