Hi,
There is a small issue in the handling of the SSI command provided by
the Perl module.
It NULL-terminates the 'sub' parameter value before passing it to
ngx_http_perl_eval_anon_sub, but this has the problem that if the
parameter's length is the maximum allowable for SSI commands, it will
write the NULL byte just past the end of the allocated buffer:
==14669== Invalid write of size 1
==14669== at 0x80A79E3: ngx_http_perl_ssi (ngx_http_perl_module.c:384)
==14669== by 0x80904CF: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:794)
==14669== by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669== by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669== by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669== by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669== by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669== by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669== by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)
==14669== by 0x80713F4: ngx_http_core_run_phases (ngx_http_core_module.c:877)
==14669== by 0x80714ED: ngx_http_handler (ngx_http_core_module.c:860)
==14669== by 0x807988F: ngx_http_process_request (ngx_http_request.c:1668)
==14669== Address 0x44bd120 is 0 bytes after a block of size 256 alloc'd
==14669== at 0x4023F50: malloc (vg_replace_malloc.c:236)
==14669== by 0x806979B: ngx_alloc (ngx_alloc.c:22)
==14669== by 0x8053BDC: ngx_malloc (ngx_palloc.c:149)
==14669== by 0x8053D0A: ngx_pnalloc (ngx_palloc.c:183)
==14669== by 0x808F4A8: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:1206)
==14669== by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669== by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669== by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669== by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669== by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669== by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669== by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)
I don't believe this to have any security impact, as if you already
have the ability to inject Perl SSI commands, you already have the
Perl runtime for any malicious intent.
I have attached a patch which attempts to fix the problem by creating
an appropriately-sized buffer and NULL-terminating a copy of the
string to eval.
- Matthew Daley
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel