Welcome! Log In Create A New Profile

Advanced

[PATCH] Fixing buffer over-read when accepting unix domain sockets

Yichun Zhang (agentzh)
July 09, 2013 09:30PM
Hello!

I've found a heap buffer over-read issue in the Nginx core via clang's
AddressSanitizer tool when Nginx is accepting a unix domain socket in
ngx_event_accept.

At least on Linux, accept and accept4 syscalls always return a socket
length of 2 for unix domain sockets, which makes later accesses to
saun->sun_path in function ngx_sock_ntop invalid (because
sizeof(sa->sa_family) == sizeof(short) == 2).

The patch attached fixes this issue.

Thanks!
-agentzh

--- nginx-1.4.1/src/event/ngx_event_accept.c 2013-05-06 03:26:50.000000000 -0700
+++ nginx-1.4.1-patched/src/event/ngx_event_accept.c 2013-07-09
17:41:42.688468839 -0700
@@ -268,7 +268,7 @@ ngx_event_accept(ngx_event_t *ev)
wev->own_lock = &c->lock;
#endif

- if (ls->addr_ntop) {
+ if (ls->addr_ntop && socklen > sizeof(c->sockaddr->sa_family)) {
c->addr_text.data = ngx_pnalloc(c->pool, ls->addr_text_max_len);
if (c->addr_text.data == NULL) {
ngx_close_accepted_connection(c);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Fixing buffer over-read when accepting unix domain sockets Attachments

Yichun Zhang (agentzh) 920 July 09, 2013 09:30PM

Re: [PATCH] Fixing buffer over-read when accepting unix domain sockets

Maxim Dounin 373 July 10, 2013 09:20AM

Re: [PATCH] Fixing buffer over-read when accepting unix domain sockets

Yichun Zhang (agentzh) 389 July 10, 2013 04:18PM

Re: [PATCH] Fixing buffer over-read when accepting unix domain sockets

Maxim Dounin 375 July 11, 2013 07:16AM

Re: [PATCH] Fixing buffer over-read when accepting unix domain sockets

Yichun Zhang (agentzh) 353 July 11, 2013 02:34PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 110
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready