Require alcf->server array to be non-empty before using it.

kvspb / nginx-auth-ldap

LDAP authentication module for nginx

BSD 2-Clause "Simplified" License

731 stars 251 forks source link

Require alcf->server array to be non-empty before using it. #166

Closed i-rinat closed 6 years ago

i-rinat commented 7 years ago

If for some reason administrator adds auth_ldap directive, but forgets to add auth_ldap_servers, servers array for the location remains uninitialized. And when request with Authorization headers field arrives, NULL gets dereferenced.

This patch checks that array is initialized in ngx_http_auth_ldap_handler(), before other functions are called.

i-rinat commented 7 years ago

To reproduce crash, start nginx with configuration:

worker_processes  1;
master_process off;
daemon off;
events { worker_connections  1024; }
http {
    server {
        listen       8080;
        auth_ldap    Hello;
        location / { root html; index index.html index.htm; }
    }
}

and send request "GET / HTTP/1.0\nAuthorization: Basic YTph\n\n".