[PATCH] Fix a buffer overflow issue in ngx_hash_t when exceeding limits

Yichun Zhang (agentzh) agentzh at gmail.com
Thu Oct 2 19:32:57 UTC 2014 

Hello!

Valgrind memcheck caught a buffer overflow issue in ngx_hash_t when
exceeding the pre-configured limits on my side:

    ==7417== Invalid write of size 2
    ==7417==    at 0x40600D: ngx_hash_init (ngx_hash.c:324)
    ==7417==    by 0x45BBFD: ngx_http_proxy_merge_loc_conf
(ngx_http_proxy_module.c:3214)
    ==7417==    by 0x422C80: ngx_http_block (ngx_http.c:597)
    ==7417==    by 0x412CE0: ngx_conf_parse (ngx_conf_file.c:391)
    ==7417==    by 0x410971: ngx_init_cycle (ngx_cycle.c:264)
    ==7417==    by 0x403FF0: main (nginx.c:333)
    ==7417==  Address 0x4e66300 is 0 bytes after a block of size 1,024 alloc'd
    ==7417==    at 0x4A0645D: malloc (vg_replace_malloc.c:291)
    ==7417==    by 0x41C46A: ngx_alloc (ngx_alloc.c:22)
    ==7417==    by 0x405ED5: ngx_hash_init (ngx_hash.c:271)
    ==7417==    by 0x45BBFD: ngx_http_proxy_merge_loc_conf
(ngx_http_proxy_module.c:3214)
    ==7417==    by 0x422C80: ngx_http_block (ngx_http.c:597)
    ==7417==    by 0x412CE0: ngx_conf_parse (ngx_conf_file.c:391)
    ==7417==    by 0x410971: ngx_init_cycle (ngx_cycle.c:264)
    ==7417==    by 0x403FF0: main (nginx.c:333)
    ==7417==

To reproduce it just use the default official nginx 1.7.5 to run the
following nginx snippet:

    proxy_set_header X-Forwarded-For "1.2.3.4";
    proxy_set_header X-Forwarded-For $http_x_forwarded_for;

Basically the buffer is iterated through by its size plus one.

The following patch fixes this:

# HG changeset patch
# User Yichun Zhang <agentzh at gmail.com>
# Date 1412276417 25200
#      Thu Oct 02 12:00:17 2014 -0700
# Node ID 4032b992f23b054c1a2cfb0be879330d2c6708e5
# Parent  1ff0f68d9376e3d184d65814a6372856bf65cfcd
Hash: buffer overflow might happen when exceeding the pre-configured limits.

diff -r 1ff0f68d9376 -r 4032b992f23b src/core/ngx_hash.c
--- a/src/core/ngx_hash.c Tue Sep 30 15:50:28 2014 -0700
+++ b/src/core/ngx_hash.c Thu Oct 02 12:00:17 2014 -0700
@@ -312,6 +312,8 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng
         continue;
     }

+    size--;
+
     ngx_log_error(NGX_LOG_WARN, hinit->pool->log, 0,
                   "could not build optimal %s, you should increase "
                   "either %s_max_size: %i or %s_bucket_size: %i; "
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hash_overflow.patch
Type: text/x-patch
Size: 770 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141002/e9f2947e/attachment.bin>

More information about the nginx-devel mailing list