[PATCH] perl module: fix SSI parameter termination bug

Matthew Daley mattjd at gmail.com
Tue Mar 13 07:34:33 UTC 2012 

Hi,

There is a small issue in the handling of the SSI command provided by
the Perl module.

It NULL-terminates the 'sub' parameter value before passing it to
ngx_http_perl_eval_anon_sub, but this has the problem that if the
parameter's length is the maximum allowable for SSI commands, it will
write the NULL byte just past the end of the allocated buffer:

==14669== Invalid write of size 1
==14669==    at 0x80A79E3: ngx_http_perl_ssi (ngx_http_perl_module.c:384)
==14669==    by 0x80904CF: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:794)
==14669==    by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669==    by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669==    by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669==    by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669==    by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669==    by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669==    by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)
==14669==    by 0x80713F4: ngx_http_core_run_phases (ngx_http_core_module.c:877)
==14669==    by 0x80714ED: ngx_http_handler (ngx_http_core_module.c:860)
==14669==    by 0x807988F: ngx_http_process_request (ngx_http_request.c:1668)
==14669==  Address 0x44bd120 is 0 bytes after a block of size 256 alloc'd
==14669==    at 0x4023F50: malloc (vg_replace_malloc.c:236)
==14669==    by 0x806979B: ngx_alloc (ngx_alloc.c:22)
==14669==    by 0x8053BDC: ngx_malloc (ngx_palloc.c:149)
==14669==    by 0x8053D0A: ngx_pnalloc (ngx_palloc.c:183)
==14669==    by 0x808F4A8: ngx_http_ssi_body_filter
(ngx_http_ssi_filter_module.c:1206)
==14669==    by 0x8092B73: ngx_http_charset_body_filter
(ngx_http_charset_filter_module.c:553)
==14669==    by 0x8055F3F: ngx_output_chain (ngx_output_chain.c:206)
==14669==    by 0x807D09E: ngx_http_copy_filter
(ngx_http_copy_filter_module.c:142)
==14669==    by 0x808A288: ngx_http_range_body_filter
(ngx_http_range_filter_module.c:559)
==14669==    by 0x8071758: ngx_http_output_filter (ngx_http_core_module.c:1903)
==14669==    by 0x8089459: ngx_http_static_handler
(ngx_http_static_module.c:266)
==14669==    by 0x807598C: ngx_http_core_content_phase
(ngx_http_core_module.c:1394)

I don't believe this to have any security impact, as if you already
have the ability to inject Perl SSI commands, you already have the
Perl runtime for any malicious intent.

I have attached a patch which attempts to fix the problem by creating
an appropriately-sized buffer and NULL-terminating a copy of the
string to eval.

- Matthew Daley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-perl.patch
Type: application/octet-stream
Size: 2953 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120313/81c2898d/attachment.obj>

More information about the nginx-devel mailing list