Welcome! Log In Create A New Profile

Advanced

[PATCH] Fix a buffer overflow issue in ngx_hash_t when exceeding limits

Previous Message Next Message
Forum List Message List New Topic Print View
Yichun Zhang (agentzh)
October 02, 2014 03:34PM
Hello!

Valgrind memcheck caught a buffer overflow issue in ngx_hash_t when
exceeding the pre-configured limits on my side:

==7417== Invalid write of size 2
==7417== at 0x40600D: ngx_hash_init (ngx_hash.c:324)
==7417== by 0x45BBFD: ngx_http_proxy_merge_loc_conf
(ngx_http_proxy_module.c:3214)
==7417== by 0x422C80: ngx_http_block (ngx_http.c:597)
==7417== by 0x412CE0: ngx_conf_parse (ngx_conf_file.c:391)
==7417== by 0x410971: ngx_init_cycle (ngx_cycle.c:264)
==7417== by 0x403FF0: main (nginx.c:333)
==7417== Address 0x4e66300 is 0 bytes after a block of size 1,024 alloc'd
==7417== at 0x4A0645D: malloc (vg_replace_malloc.c:291)
==7417== by 0x41C46A: ngx_alloc (ngx_alloc.c:22)
==7417== by 0x405ED5: ngx_hash_init (ngx_hash.c:271)
==7417== by 0x45BBFD: ngx_http_proxy_merge_loc_conf
(ngx_http_proxy_module.c:3214)
==7417== by 0x422C80: ngx_http_block (ngx_http.c:597)
==7417== by 0x412CE0: ngx_conf_parse (ngx_conf_file.c:391)
==7417== by 0x410971: ngx_init_cycle (ngx_cycle.c:264)
==7417== by 0x403FF0: main (nginx.c:333)
==7417==

To reproduce it just use the default official nginx 1.7.5 to run the
following nginx snippet:

proxy_set_header X-Forwarded-For "1.2.3.4";
proxy_set_header X-Forwarded-For $http_x_forwarded_for;

Basically the buffer is iterated through by its size plus one.

The following patch fixes this:

# HG changeset patch
# User Yichun Zhang <agentzh@gmail.com>
# Date 1412276417 25200
# Thu Oct 02 12:00:17 2014 -0700
# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5
# Parent 1ff0f68d9376e3d184d65814a6372856bf65cfcd
Hash: buffer overflow might happen when exceeding the pre-configured limits.

diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c
--- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700
+++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700
@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng
continue;
}

+ size--;
+
ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0,
"could not build optimal %s, you should increase "
"either %s_max_size: %i or %s_bucket_size: %i; "
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] Fix a buffer overflow issue in ngx_hash_t when exceeding limits

Yichun Zhang (agentzh) 452 October 02, 2014 03:34PM

Re: [PATCH] Fix a buffer overflow issue in ngx_hash_t when exceeding limits

Maxim Dounin 260 October 08, 2014 09:44AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

toft6633
Guests: 200
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready