Welcome! Log In Create A New Profile

Advanced

[PATCH] perl module: fix SSI parameter termination bug

Previous Message Next Message
Forum List Message List New Topic Print View
Matthew Daley
March 13, 2012 03:36AM
Hi,

There is a small issue in the handling of the SSI command provided by
the Perl module.

It NULL-terminates the 'sub' parameter value before passing it to
ngx_http_perl_eval_anon_sub, but this has the problem that if the
parameter's length is the maximum allowable for SSI commands, it will
write the NULL byte just past the end of the allocated buffer:

==14669== Invalid write of size 1
==14669== at 0x80A79E3: ngx_http_perl_ssi (ngx_http_perl_module.c:384)
==14669== by 0x80904CF: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:794)
==14669== by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669== by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669== by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669== by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669== by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669== by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669== by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)
==14669== by 0x80713F4: ngx_http_core_run_phases (ngx_http_core_module.c:877)
==14669== by 0x80714ED: ngx_http_handler (ngx_http_core_module.c:860)
==14669== by 0x807988F: ngx_http_process_request (ngx_http_request.c:1668)
==14669== Address 0x44bd120 is 0 bytes after a block of size 256 alloc'd
==14669== at 0x4023F50: malloc (vg_replace_malloc.c:236)
==14669== by 0x806979B: ngx_alloc (ngx_alloc.c:22)
==14669== by 0x8053BDC: ngx_malloc (ngx_palloc.c:149)
==14669== by 0x8053D0A: ngx_pnalloc (ngx_palloc.c:183)
==14669== by 0x808F4A8: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:1206)
==14669== by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669== by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669== by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669== by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669== by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669== by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669== by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)

I don't believe this to have any security impact, as if you already
have the ability to inject Perl SSI commands, you already have the
Perl runtime for any malicious intent.

I have attached a patch which attempts to fix the problem by creating
an appropriately-sized buffer and NULL-terminating a copy of the
string to eval.

- Matthew Daley
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] perl module: fix SSI parameter termination bug Attachments

Matthew Daley 1283 March 13, 2012 03:36AM

Re: [PATCH] perl module: fix SSI parameter termination bug

Maxim Dounin 467 March 13, 2012 04:30AM

Re: [PATCH] perl module: fix SSI parameter termination bug

Matthew Daley 462 March 13, 2012 04:44AM

Re: [PATCH] perl module: fix SSI parameter termination bug

Alexandr Gomoliako 404 March 13, 2012 10:18AM

Re: [PATCH] perl module: fix SSI parameter termination bug

Alexandr Gomoliako 463 March 13, 2012 10:30AM

Re: [PATCH] perl module: fix SSI parameter termination bug

Matthew Daley 517 March 13, 2012 08:36PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

hackermade
Guests: 300
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready