From bcb41c91939009b7d01074c9a8f3cef1da13ec50 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Mon, 24 Nov 2025 15:57:09 +0400 Subject: [PATCH] Proxy: fixed segfault in URI change. If request URI was shorter than location prefix, as after replacement with try_files, location length was used to copy the remaining URI part leading to buffer overread. The fix is to replace full request URI in this case. In the following configuration, request "/123" is changed to "/" when sent to backend. location /1234 { try_files /123 =404; proxy_pass http://127.0.0.1:8080/; } Closes #983 on GitHub. --- src/http/modules/ngx_http_proxy_module.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index 8d5385c1d..d3836602e 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -1206,7 +1206,8 @@ ngx_http_proxy_create_key(ngx_http_request_t *r) return NGX_OK; } - loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0; + loc_len = (r->valid_location && ctx->vars.uri.len) + ? ngx_min(plcf->location.len, r->uri.len) : 0; if (r->quoted_uri || r->internal) { escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len, @@ -1318,8 +1319,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r) uri_len = r->unparsed_uri.len; } else { - loc_len = (r->valid_location && ctx->vars.uri.len) ? - plcf->location.len : 0; + loc_len = (r->valid_location && ctx->vars.uri.len) + ? ngx_min(plcf->location.len, r->uri.len) : 0; if (r->quoted_uri || r->internal) { escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,