Fixed buffer over-read while logging invalid request headers. Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character. In this case the r->header_end pointer isn't properly initialized, but the log message in ngx_http_process_request_headers() hasn't been adjusted. It used the pointer in size calculation, which might result in up to 2k buffer over-read. Found with afl-fuzz.

commit: 142437da1adb5aced816e099a581cb9e927d479c [log] [tgz]
author: Valentin Bartenev <vbart@nginx.com> Wed Feb 24 16:01:23 2016 +0300
committer: Valentin Bartenev <vbart@nginx.com> Wed Feb 24 16:01:23 2016 +0300
tree: 7571132be835bb194a80b5b42ae9c81a529955a0
parent: f878c05185231c59caafb0131ad717f44b7d54eb [diff]
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 99e9325..5a39c11 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c

@@ -1351,12 +1351,11 @@
             continue;
         }
 
-        /* rc == NGX_HTTP_PARSE_INVALID_HEADER: "\r" is not followed by "\n" */
+        /* rc == NGX_HTTP_PARSE_INVALID_HEADER */
 
         ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                      "client sent invalid header line: \"%*s\\r...\"",
-                      r->header_end - r->header_name_start,
-                      r->header_name_start);
+                      "client sent invalid header line");
+
         ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
         return;
     }
commit	142437da1adb5aced816e099a581cb9e927d479c	[log] [tgz]
author	Valentin Bartenev <vbart@nginx.com>	Wed Feb 24 16:01:23 2016 +0300
committer	Valentin Bartenev <vbart@nginx.com>	Wed Feb 24 16:01:23 2016 +0300
tree	7571132be835bb194a80b5b42ae9c81a529955a0
parent	f878c05185231c59caafb0131ad717f44b7d54eb [diff]