Welcome! Log In Create A New Profile

Re: nginx security advisory (CVE-2017-7529)

Forum List Message List New Topic Print View

Maxim Dounin

August 09, 2017 11:14AM

Hello!

On Thu, Jul 20, 2017 at 10:32:15PM -0700, Shuxin Yang wrote:

> I try to exploit this bug in an attempt to do something nasty :-).
> However, the more I dig into it, the more I get confused.

No comments on this, sorry. We generally avoid providing
exploitation details to minimize impact on not-yet-updated
systems.

[...]

> d) the patch guarantees the total size of ranges is smaller than 4G
> (again, assume 32bit system). But what if it ends up very close to 4G,
> making the "len" variable in function variable
> ngx_http_range_multipart_header() overflow. The "len" is to calculate
> the content-length the resulting response, it is the total size of
> multi-part overhead plus ranges.

This looks like a separate bug, which can result in incorrect
Content-Length being returned if a file larger than 4G is
requested using multiple ranges on a 32-bit system. Thanks for
reporting this.

The following patch should fix this:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1502291117 -10800
# Wed Aug 09 18:05:17 2017 +0300
# Node ID fc89eec543ee3e41b74347ffa0c59554188dc3f5
# Parent 2f48ab272052d9b2ca00f8192c589b872ee3bc86
Range filter: changed type for total length to off_t.

Total length of a response with multiple ranges can be larger than a size_t
variable can hold, so type changed to off_t. Previously, an incorrect
Content-Length was returned when requesting more than 4G of ranges from
a large enough file on a 32-bit system.

Reported by Shuxin Yang,
http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html.

diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
--- a/src/http/modules/ngx_http_range_filter_module.c
+++ b/src/http/modules/ngx_http_range_filter_module.c
@@ -463,7 +463,7 @@ static ngx_int_t
ngx_http_range_multipart_header(ngx_http_request_t *r,
ngx_http_range_filter_ctx_t *ctx)
{
- size_t len;
+ off_t len;
ngx_uint_t i;
ngx_http_range_t *range;
ngx_atomic_uint_t boundary;
@@ -569,7 +569,7 @@ ngx_http_range_multipart_header(ngx_http
- range[i].content_range.data;

len += ctx->boundary_header.len + range[i].content_range.len
- + (size_t) (range[i].end - range[i].start);
+ + (range[i].end - range[i].start);
}

r->headers_out.content_length_n = len;

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 11, 2017 11:50AM
Re: nginx security advisory (CVE-2017-7529)	c0nw0nk	July 11, 2017 05:45PM
Re: nginx security advisory (CVE-2017-7529)	darylwang	July 11, 2017 06:56PM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 12, 2017 08:02AM
Re: nginx security advisory (CVE-2017-7529)	martinzhou	July 12, 2017 09:42PM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	July 13, 2017 10:14AM
Re: nginx security advisory (CVE-2017-7529)	Shuxin Yang	July 21, 2017 01:34AM
Re: nginx security advisory (CVE-2017-7529)	Maxim Dounin	August 09, 2017 11:14AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 224

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018