invalid config accepted because allocation patterns
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 17 11:26:58 UTC 2015
Hello!
On Sun, Aug 16, 2015 at 05:28:34PM +0300, Markus Linnala wrote:
> Sometimes nginx accepts invalid configuration.
>
> Like:
>
> <>
> worker_processes 1;
>
> events {
> worker_connections 1024;
> }
>
> http {
> map $http_host $tp_x_forwarded_for {
> default "a";
> }
> log_format main '$ht $tp_x_forwarded_for';
> access_log logs/access.log main;
> server {
> }
> }
> <>
>
> That is because parameter might be allocated one after another and then
> ngx_strncmp would compare whole set and get it wrong. Generally every line
> where there is ngx_strncmp(<typeof ngx_str_t>.data, <char *>, len) where
> length of ngx_str_t is less than len might trigger this issue.
>
> Only small configuration change can change allocation patterns and this
> might not work for you.
>
> I don't know if there is any other usage for this than to learn how nginx
> memory allocators and ngx_str_t works.
>
> If you use no-pool-nginx patch and ASAN, you'll trigger "ERROR:
> AddressSanitizer: heap-buffer-overflow".
>
> Right way to handle this would always check that ngx_str_t len is >=
> ngx_strncmp second arg before every ngx_strncmp()==0 call.
The ngx_strncmp() call without any additional checks is fine as
long as the string tested is expected to be null-terminated (or
followed by some other character known not to match). And this is
the case for most uses of ngx_strncmp(), except may be some bugs.
> Example:
>
> Breakpoint 1, ngx_http_variables_init_vars (cf=cf at entry=0x7fffffffe2b0) at
> src/http/ngx_http_variables.c:2538
> 2538 if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
> (gdb) list
> 2533
> 2534 goto next;
> 2535 }
> 2536 }
> 2537
> 2538 if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
> 2539 v[i].get_handler = ngx_http_variable_unknown_header_in;
> 2540 v[i].data = (uintptr_t) &v[i].name;
> 2541
> 2542 continue;
> (gdb) print ((ngx_http_variable_t*)cmcf->variables.elts)[i]
> $10 = {name = {len = 2, data = 0x5555558b96a8
> "http_x_forwarded_foraccess_log"}, set_handler = 0x0,
> get_handler = 0x0, data = 0, flags = 0, index = 2}
> gdb) cont
> Continuing.
> nginx: the configuration file /data/nginx/test.conf syntax is ok
> nginx: configuration file /data/nginx/test.conf test is successful
> [Inferior 1 (process 29905) exited normally]
This looks like a bug.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list