Heap buffer overflow (read) when using $binary_remote_addr with unix sockets

Stephan Dollberg sdollberg at cloudflare.com
Tue Aug 15 10:10:10 UTC 2017


When using $binary_remote_addr together with unix sockets (without
using X-Real-Ip) there is a heap buffer overread of two bytes.

The problem is that we only allocate two bytes for c->sockaddr here
but later on assume it to be of size four

Now, one could argue that using remote addr and unix sockets without
X-Real-Ip might not make sense but I still wanted to report it. Maybe
it might make sense to issue a warning or something.

The issue can be reproduced by compiling with address sanitizer and
-DNGX_DEBUG_PALLOC and using something like the following config:

daemon off;
master_process off;

events {
    worker_connections  1024;

error_log /dev/stdout debug;

http {
    server {
        listen 8000;
        listen unix:/tmp/nginx.sock backlog=10000;
        server_name  localhost;

        location / {
            proxy_pass http://unix:/tmp/nginx.sock:/foo;

        location /foo {
            return 200 hello$binary_remote_addr;


More information about the nginx-devel mailing list