Fetch: fixed heap-buffer-overflow in Headers.get().

Previously, when more than one header with the same name added to a Headers object and Headers.get() was used to get the the duplicate header heap-buffer-overflow occured. The overflow occurred due to an incorrect calculation of the combined header value's length. The issue was introduced in c43261bad627 (0.7.10).
nginx · May 24, 2024 · 8226e6a · 8226e6a
1 parent 1250d03
commit 8226e6a
Showing 1 changed file with 10 additions and 21 deletions.
diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c
@@ -3181,9 +3181,8 @@ static njs_int_t
 ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name,
     njs_value_t *retval, njs_bool_t as_array)
 {
-    u_char            *data, *p;
-    size_t             len;
     njs_int_t          rc;
+    njs_chb_t          chain;
     ngx_uint_t         i;
     ngx_js_tb_elt_t   *h, *ph;
     ngx_list_part_t   *part;
@@ -3254,36 +3253,26 @@ ngx_headers_js_get(njs_vm_t *vm, njs_value_t *value, njs_str_t *name,
         return NJS_DECLINED;
     }
 
-    len = 0;
-    h = ph;
-
-    while (ph != NULL) {
-        len = ph->value.len + njs_length(", ");
-        ph = ph->next;
-    }
-
-    len -= njs_length(", ");
-
-    data = njs_mp_alloc(njs_vm_memory_pool(vm), len);
-    if (data == NULL) {
-        njs_vm_memory_error(vm);
-        return NJS_ERROR;
-    }
+    NJS_CHB_MP_INIT(&chain, vm);
 
-    p = data;
+    h = ph;
 
     for ( ;; ) {
-        p = ngx_cpymem(p, h->value.data, h->value.len);
+        njs_chb_append(&chain, h->value.data, h->value.len);
 
         if (h->next == NULL) {
             break;
         }
 
-        *p++ = ','; *p++ = ' ';
+        njs_chb_append_literal(&chain, ", ");
         h = h->next;
     }
 
-    return njs_vm_value_string_create(vm, retval, data, p - data);
+    rc = njs_vm_value_string_create_chb(vm, retval, &chain);
+
+    njs_chb_destroy(&chain);
+
+    return rc;
 }