Google Git
Sign in
nginx/nginx/3035e9339be31e6aa97fb3e86196c6b40d52904f^!/.
commit
3035e9339be31e6aa97fb3e86196c6b40d52904f
[log]
author
Valentin Bartenev <vbart@nginx.com>
Thu Feb 04 18:01:04 2016 +0300
committer
Valentin Bartenev <vbart@nginx.com>
Thu Feb 04 18:01:04 2016 +0300
tree
ea75d2250ed73a6d1eadd4b27cb36fca95a90cf8
parent
c6ad9ada8869f0b5b0a187f64ada0e848e95c0fe [diff]
HTTP/2: fixed possible buffer overrun (ticket #893).

Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index ed30fe5..ea58979 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c

@@ -215,8 +215,8 @@
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (r->headers_out.server == NULL) {
-        len += 1 + clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
-                                       : ngx_http_v2_literal_size("nginx");
+        len += 1 + (clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
+                                        : ngx_http_v2_literal_size("nginx"));
     }
 
     if (r->headers_out.date == NULL) {