Invalid "Authorization" header may lead to segmentation fault

[max-lt]

Invalid "Authorization" header may lead to segmentation fault:

2018/06/06 22:03:26 [emerg] 8#8: *10 malloc(18446744073709551611) failed (12: Out of memory), client: 172.17.0.1, server: localhost, request: "GET /secure-auth-header/ HTTP/1.1", host: "localhost:8000"
2018/06/06 22:03:27 [notice] 1#1: signal 17 (SIGCHLD) received from 8
2018/06/06 22:03:27 [alert] 1#1: worker process 8 exited on signal 11 (core dumped)
2018/06/06 22:03:27 [notice] 1#1: start worker process 9

How to reproduce:

• In your nginx.conf file: change error_log /var/log/nginx/error.log info to error_log /dev/stderr info (you wont see anything otherwise).

• Add this test:

  TEST_INVALID_AUTH_HEADER=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-auth-header/index.html -H 'cache-control: no-cache' --header "Authorization: X"`
  if [ "TEST_INVALID_AUTH_HEADER" -eq "302" ];then
  echo -e "${GREEN}Secure test with jwt auth header pass ${TEST_INVALID_AUTH_HEADER}${NONE}";
  else
  echo -e "${RED}Secure test with jwt auth header fail ${TEST_INVALID_AUTH_HEADER}${NONE}";
  fi

Cause:

Line 422: authorizationHeaderStr.len = authorizationHeader->value.len - (sizeof("Bearer ") - 1); -> "len" can be negative and it will fail in the ngx_str_t_to_char_ptr function on memory allocation.

[aaronesau-summit]

@fitzyjoe is there any update on this? It seems like a trivial fix, and I think this might be able to be exploited as an out of bounds read vulnerability. I can submit a PR if you'd like.

[JoshMcCullough]

@fitzyjoe Can you review the #61 ?

[eutychus]

@JoshMcCullough @fitzyjoe I provided a PR that fixes this and updates the test case. Can I get this reviewed and merged?

[fitzyjoe]

Merged PR to fix this. Thanks!