Hi,

When using $binary_remote_addr together with unix sockets (without
using X-Real-Ip) there is a heap buffer overread of two bytes.

The problem is that we only allocate two bytes for c->sockaddr here
http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167
but later on assume it to be of size four
http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246

Now, one could argue that using remote addr and unix sockets without
X-Real-Ip might not make sense but I still wanted to report it. Maybe
it might make sense to issue a warning or something.

The issue can be reproduced by compiling with address sanitizer and
-DNGX_DEBUG_PALLOC and using something like the following config:

daemon off;
master_process off;

events {
worker_connections 1024;
}

error_log /dev/stdout debug;

http {
server {
listen 8000;
listen unix:/tmp/nginx.sock backlog=10000;
server_name localhost;

location / {
proxy_pass http://unix:/tmp/nginx.sock:/foo;
}

location /foo {
return 200 hello$binary_remote_addr;
}
}
}

Cheers,
Stephan
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel