Welcome! Log In Create A New Profile

Advanced

Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Previous Message Next Message
Forum List Message List New Topic Print View
Bondarev, Daniil
October 07, 2014 01:26PM
Hi,

There is an issue in nginx, when it's returning NGX_HTTP_REQUEST_HEADER_TOO_LARGE
in ngx_http_process_request_headers:
When large header buffer is full and the last header size is 1 or 2 bytes more
than NGX_MAX_ERROR_STR - 300, nginx will write 1 or 2 '.' symbols out of large
header buffer, causing unpredictable behavior.

To reproduce it you can send request with total headers size of 'large client buffers size' and
the last header size of 1749. Valgrind will catch this issue:

==10776== Invalid write of size 1
==10776== at 0x426E84: ngx_http_process_request_headers (ngx_http_request.c:1230)
....

The following patch fixes this issue:

# HG changeset patch
# User Daniil Bondarev <bondarev@amazon.com>
# Date 1412401143 25200
# Node ID 2bbb5284ca7ff658ad50254fe0c5bec14247ba75
# Parent 6bbad2e732458bf53771e80c63a654b3d7f61963
Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

When large header buffer is full and the last header size is 1 or 2 bytes more
than NGX_MAX_ERROR_STR - 300, nginx will write 1 or 2 '.' symbols out of large
header buffer, causing unpredictable behavior.

The fix is, instead of modifying a buffer, just cut the header and print '...'
in log line if header is too large.

diff -r 6bbad2e73245 -r 2bbb5284ca7f src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Wed Aug 27 20:51:01 2014 +0400
+++ b/src/http/ngx_http_request.c Fri Oct 03 22:39:03 2014 -0700
@@ -1171,6 +1171,7 @@
{
u_char *p;
size_t len;
+ size_t print_len;
ssize_t n;
ngx_int_t rc, rv;
ngx_table_elt_t *h;
@@ -1225,14 +1226,13 @@

len = r->header_in->end - p;

- if (len > NGX_MAX_ERROR_STR - 300) {
- len = NGX_MAX_ERROR_STR - 300;
- p[len++] = '.'; p[len++] = '.'; p[len++] = '.';
- }
+ /* Since log line size is limited to NGX_MAX_ERROR_STR,
+ * nginx has to limit header size it will print into log. */
+ print_len = ngx_min(len, NGX_MAX_ERROR_STR - 300);

ngx_log_error(NGX_LOG_INFO, c->log, 0,
- "client sent too long header line: \"%*s\"",
- len, r->header_name_start);
+ "client sent too long header line: \"%*s%s\"",
+ print_len, p, len != print_len ? "..." : "");

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Bondarev, Daniil 822 October 07, 2014 01:26PM

Re: Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Maxim Dounin 281 October 07, 2014 01:56PM

RE: Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Bondarev, Daniil 310 October 07, 2014 02:12PM

Re: Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Maxim Dounin 272 October 07, 2014 03:00PM

RE: Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Bondarev, Daniil 319 October 07, 2014 03:12PM

Re: Prevent buffer overrun on NGX_HTTP_REQUEST_HEADER_TOO_LARGE

Maxim Dounin 341 October 08, 2014 09:46AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 152
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready