Heap buffer overflow (read) when using $binary_remote_addr with unix sockets

Sergey Kandaurov pluknet at nginx.com
Wed Sep 20 13:21:22 UTC 2017


> On 15 Aug 2017, at 13:10, Stephan Dollberg via nginx-devel <nginx-devel at nginx.org> wrote:
> 
> Hi,
> 
> When using $binary_remote_addr together with unix sockets (without
> using X-Real-Ip) there is a heap buffer overread of two bytes.
> 
> The problem is that we only allocate two bytes for c->sockaddr here
> http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167
> but later on assume it to be of size four
> http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246
> 
> 

Thanks, this is a valid report.
The reason is that UNIX-domain sockets support
is not implemented for $binary_remote_addr.
There are actually more issues, we are working on it.

-- 
Sergey Kandaurov



More information about the nginx-devel mailing list