Upstream: overflow detection in Cache-Control delta-seconds.

Overflowing calculations are now aligned to the greatest positive integer as specified in RFC 9111, Section 1.2.2.
2025-09-10 18:39:52 +04:00 · 2025-09-10 18:39:52 +04:00 · 8255bd29ac
parent 93ff1ee12c
commit 8255bd29ac
1 changed files with 47 additions and 34 deletions
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@ -116,6 +116,10 @@ static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
+#if (NGX_HTTP_CACHE)
+static ngx_int_t ngx_http_upstream_process_delta_seconds(u_char *p,
+    u_char *last);
+#endif
 static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
 static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r,
@ -5066,18 +5070,9 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    }

    if (p) {
-        n = 0;
-
-        for (p += offset; p < last; p++) {
-            if (*p == ',' || *p == ';' || *p == ' ') {
-                break;
-            }
-
-            if (*p >= '0' && *p <= '9') {
-                n = n * 10 + (*p - '0');
-                continue;
-            }
+        n = ngx_http_upstream_process_delta_seconds(p + offset, last);

+        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5087,7 +5082,8 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
            return NGX_OK;
        }

-        r->cache->valid_sec = ngx_time() + n;
+        r->cache->valid_sec = ngx_min((ngx_uint_t) ngx_time() + n,
+                                      NGX_MAX_INT_T_VALUE);
        u->headers_in.expired = 0;
    }

@ -5097,18 +5093,9 @@ extensions:
                         23 - 1);

    if (p) {
-        n = 0;
-
-        for (p += 23; p < last; p++) {
-            if (*p == ',' || *p == ';' || *p == ' ') {
-                break;
-            }
-
-            if (*p >= '0' && *p <= '9') {
-                n = n * 10 + (*p - '0');
-                continue;
-            }
+        n = ngx_http_upstream_process_delta_seconds(p + 23, last);

+        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5120,18 +5107,9 @@ extensions:
    p = ngx_strlcasestrn(start, last, (u_char *) "stale-if-error=", 15 - 1);

    if (p) {
-        n = 0;
-
-        for (p += 15; p < last; p++) {
-            if (*p == ',' || *p == ';' || *p == ' ') {
-                break;
-            }
-
-            if (*p >= '0' && *p <= '9') {
-                n = n * 10 + (*p - '0');
-                continue;
-            }
+        n = ngx_http_upstream_process_delta_seconds(p + 15, last);

+        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5145,6 +5123,41 @@ extensions:
 }


+#if (NGX_HTTP_CACHE)
+
+static ngx_int_t
+ngx_http_upstream_process_delta_seconds(u_char *p, u_char *last)
+{
+    ngx_int_t  n, cutoff, cutlim;
+
+    cutoff = NGX_MAX_INT_T_VALUE / 10;
+    cutlim = NGX_MAX_INT_T_VALUE % 10;
+
+    n = 0;
+
+    for ( /* void */ ; p < last; p++) {
+        if (*p == ',' || *p == ';' || *p == ' ') {
+            break;
+        }
+
+        if (*p < '0' || *p > '9') {
+            return NGX_ERROR;
+        }
+
+        if (n >= cutoff && (n > cutoff || *p - '0' > cutlim)) {
+            n = NGX_MAX_INT_T_VALUE;
+            break;
+        }
+
+        n = n * 10 + (*p - '0');
+    }
+
+    return n;
+}
+
+#endif
+
+
 static ngx_int_t
 ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h,
    ngx_uint_t offset)