Heap buffer overflow (read) when using $binary_remote_addr with unix sockets
Stephan Dollberg
sdollberg at cloudflare.com
Tue Aug 15 10:10:10 UTC 2017
Hi,
When using $binary_remote_addr together with unix sockets (without
using X-Real-Ip) there is a heap buffer overread of two bytes.
The problem is that we only allocate two bytes for c->sockaddr here
http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167
but later on assume it to be of size four
http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246
Now, one could argue that using remote addr and unix sockets without
X-Real-Ip might not make sense but I still wanted to report it. Maybe
it might make sense to issue a warning or something.
The issue can be reproduced by compiling with address sanitizer and
-DNGX_DEBUG_PALLOC and using something like the following config:
daemon off;
master_process off;
events {
worker_connections 1024;
}
error_log /dev/stdout debug;
http {
server {
listen 8000;
listen unix:/tmp/nginx.sock backlog=10000;
server_name localhost;
location / {
proxy_pass http://unix:/tmp/nginx.sock:/foo;
}
location /foo {
return 200 hello$binary_remote_addr;
}
}
}
Cheers,
Stephan
More information about the nginx-devel
mailing list