invalid config accepted because allocation patterns

Markus Linnala Markus.Linnala at cybercom.com
Sun Aug 16 14:28:34 UTC 2015


Sometimes nginx accepts invalid configuration.

Like:

<>
worker_processes  1;

events {
     worker_connections  1024;
}

http {
    map $http_host $tp_x_forwarded_for {
      default "a";
    }
    log_format  main  '$ht $tp_x_forwarded_for';
    access_log  logs/access.log  main;
    server {
    }
}
<>

That is because parameter might be allocated one after another and 
then ngx_strncmp would compare whole set and get it wrong. Generally 
every line where there is ngx_strncmp(<typeof ngx_str_t>.data, <char 
*>, len) where length of ngx_str_t is less than len might trigger 
this issue.

Only small configuration change can change allocation patterns and 
this might not work for you.

I don't know if there is any other usage for this than to learn how 
nginx memory allocators and ngx_str_t works.

If you use no-pool-nginx patch and ASAN, you'll trigger "ERROR: 
AddressSanitizer: heap-buffer-overflow".

Right way to handle this would always check that ngx_str_t len is >= 
ngx_strncmp second arg before every ngx_strncmp()==0 call.

Example:

Breakpoint 1, ngx_http_variables_init_vars 
(cf=cf at entry=0x7fffffffe2b0) at src/http/ngx_http_variables.c:2538
2538            if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
(gdb) list
2533
2534                    goto next;
2535                }
2536            }
2537
2538            if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
2539                v[i].get_handler = 
ngx_http_variable_unknown_header_in;
2540                v[i].data = (uintptr_t) &v[i].name;
2541
2542                continue;
(gdb) print ((ngx_http_variable_t*)cmcf->variables.elts)[i]
$10 = {name = {len = 2, data = 0x5555558b96a8 
"http_x_forwarded_foraccess_log"}, set_handler = 0x0,
   get_handler = 0x0, data = 0, flags = 0, index = 2}
gdb) cont
Continuing.
nginx: the configuration file /data/nginx/test.conf syntax is ok
nginx: configuration file /data/nginx/test.conf test is successful
[Inferior 1 (process 29905) exited normally]



More information about the nginx-devel mailing list