Hello, I found an array index out of bounds bug in ngx_inet_add_addr()
function.
In my case, I want to use ngx_parse_url(cf->pool, u) twice to update my
address.
Consider this situation, my twice function call argument u: u->url.data is
string
of ip address, and then, call trace is

ngx_inet_add_addr (src/core/ngx_inet.c#L1274)
ngx_parse_inet_url (src/core/ngx_inet.c#L968)
ngx_parse_url (src/core/ngx_inet.c#L700)

In first ngx_parse_url() call, u->url.data ip address will successfully add
to u->addrs array,
and u->naddrs will be increased to 1. And then the second
call ngx_parse_url(),
u->url.data ip address add to u->addrs array, Because of in first call
n->naddrs was
increased to 1, so this time our update ip address will add to
u->addrs[1], but u->addrs
array were allocated 1 * sizeof(ngx_addr_t).

src/core/ngx_inet.c#L1275 u->addrs = ngx_palloc(pool, total * nports *
sizeof(ngx_addr_t));

So the second time I call this function will cause memory error, and it may
even make the program crashes.

In order to avoid this bug, We need to check index of u->addrs.
Could you help me check where there is a problem? Thanks!

# HG changeset patch
# User Jun Ouyang <ouyangjun1999@gmail.com>
# Date 1609070041 -28800
# Sun Dec 27 19:54:01 2020 +0800
# Node ID 978ff553691d3fec538586cfa88e1e2b9858d4b5
# Parent 82228f955153527fba12211f52bf102c90f38dfb
Multiple call ngx_parse_url add addr to addrs array cause index out of
bounds bug

diff -r 82228f955153 -r 978ff553691d src/core/ngx_inet.c
--- a/src/core/ngx_inet.c Tue Dec 15 17:41:39 2020 +0300
+++ b/src/core/ngx_inet.c Sun Dec 27 19:54:01 2020 +0800
@@ -1278,6 +1278,10 @@
}
}

+ if (u->naddrs == nports * total) {
+ u->naddrs = 0;
+ }
+
for (i = 0; i < nports; i++) {
sa = ngx_pcalloc(pool, socklen);
if (sa == NULL) {

--
*GPG public key: 4A6D297E6F74638E4D5F8E99152AC7B5F7608B26*
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel