Heap buffer overflow (read) when using $binary_remote_addr with unix sockets

Stephan Dollberg sdollberg at cloudflare.com
Tue Aug 15 10:10:10 UTC 2017


Hi,

When using $binary_remote_addr together with unix sockets (without
using X-Real-Ip) there is a heap buffer overread of two bytes.

The problem is that we only allocate two bytes for c->sockaddr here
http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167
but later on assume it to be of size four
http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246

Now, one could argue that using remote addr and unix sockets without
X-Real-Ip might not make sense but I still wanted to report it. Maybe
it might make sense to issue a warning or something.

The issue can be reproduced by compiling with address sanitizer and
-DNGX_DEBUG_PALLOC and using something like the following config:

daemon off;
master_process off;

events {
    worker_connections  1024;
}

error_log /dev/stdout debug;

http {
    server {
        listen 8000;
        listen unix:/tmp/nginx.sock backlog=10000;
        server_name  localhost;

        location / {
            proxy_pass http://unix:/tmp/nginx.sock:/foo;
        }

        location /foo {
            return 200 hello$binary_remote_addr;
        }
    }
}

Cheers,
Stephan


More information about the nginx-devel mailing list