[PATCH] Fixing buffer over-read when accepting unix domain sockets

Yichun Zhang (agentzh) agentzh at gmail.com
Wed Jul 10 20:15:48 UTC 2013 

Hello!

On Wed, Jul 10, 2013 at 6:18 AM, Maxim Dounin wrote:
>> -        if (ls->addr_ntop) {
>> +        if (ls->addr_ntop && socklen > sizeof(c->sockaddr->sa_family)) {
>>              c->addr_text.data = ngx_pnalloc(c->pool, ls->addr_text_max_len);
>>              if (c->addr_text.data == NULL) {
>>                  ngx_close_accepted_connection(c);
>
> The patch looks wrong - it doesn't initialize c->addr_text at all,
> while it's requested by a caller.
>

Thank you for the review!

How about this?

--- nginx-1.4.1/src/event/ngx_event_accept.c 2013-05-06 03:26:50.000000000 -0700
+++ nginx-1.4.1-patched/src/event/ngx_event_accept.c 2013-07-10
13:05:02.001249099 -0700
@@ -269,17 +269,28 @@ ngx_event_accept(ngx_event_t *ev)
 #endif

         if (ls->addr_ntop) {
-            c->addr_text.data = ngx_pnalloc(c->pool, ls->addr_text_max_len);
-            if (c->addr_text.data == NULL) {
-                ngx_close_accepted_connection(c);
-                return;
-            }
+            if (socklen > sizeof(c->sockaddr->sa_family)) {
+                c->addr_text.data = ngx_pnalloc(c->pool,
ls->addr_text_max_len);
+                if (c->addr_text.data == NULL) {
+                    ngx_close_accepted_connection(c);
+                    return;
+                }
+
+                c->addr_text.len = ngx_sock_ntop(c->sockaddr,
c->addr_text.data,
+                                                 ls->addr_text_max_len, 0);
+                if (c->addr_text.len == 0) {
+                    ngx_close_accepted_connection(c);
+                    return;
+                }
+
+            } else {
+                /*
+                 * Linux accept/accept4 syscalls, for example, do not return
+                 * address data upon unix domain sockets
+                 */

-            c->addr_text.len = ngx_sock_ntop(c->sockaddr, c->addr_text.data,
-                                             ls->addr_text_max_len, 0);
-            if (c->addr_text.len == 0) {
-                ngx_close_accepted_connection(c);
-                return;
+                c->addr_text.data = NULL;
+                c->addr_text.len = 0;
             }
         }

-agentzh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-1.4.1-unix_socket_accept_over_read.patch
Type: application/octet-stream
Size: 1669 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130710/adbacda0/attachment.obj>

More information about the nginx-devel mailing list