From 91826012f6485d2cbf90dd8f7aa38406011fa9d2 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 7 Mar 2015 11:18:09 +0200 Subject: [PATCH] add openssl hmac defensive test md_len might be uninitialized. It might not be set at HMAC if something goes wrong. Later it is used at memory allocation and memcpy and uninitialized variable breaks havoc there. --- src/ngx_http_set_hmac.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ngx_http_set_hmac.c b/src/ngx_http_set_hmac.c index 3cca9d0..14b0a10 100644 --- a/src/ngx_http_set_hmac.c +++ b/src/ngx_http_set_hmac.c @@ -17,7 +17,7 @@ ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r, ngx_str_t *res, ngx_http_variable_value_t *v) { ngx_http_variable_value_t *secret, *string_to_sign; - unsigned int md_len; + unsigned int md_len = 0; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *evp_md; @@ -32,6 +32,12 @@ ngx_http_set_misc_set_hmac_sha1(ngx_http_request_t *r, ngx_str_t *res, HMAC(evp_md, secret->data, secret->len, string_to_sign->data, string_to_sign->len, md, &md_len); + /* defensive test if there is something wrong with openssl */ + if (md_len == 0 || md_len > EVP_MAX_MD_SIZE) { + res->len = 0; + return NGX_ERROR; + } + res->len = md_len; ndk_palloc_re(res->data, r->pool, md_len);