[PATCH] Multiple call ngx_parse_url cause index out of bounds bug

Attenuation ouyangjun1999 at gmail.com
Sun Dec 27 13:26:44 UTC 2020 

Hello, I found an array index out of bounds bug in ngx_inet_add_addr()
function.
In my case, I want to use ngx_parse_url(cf->pool, u) twice to update my
address.
Consider this situation, my twice function call argument u:  u->url.data is
string
of ip address,  and then, call trace is

ngx_inet_add_addr (src/core/ngx_inet.c#L1274)
ngx_parse_inet_url (src/core/ngx_inet.c#L968)
ngx_parse_url (src/core/ngx_inet.c#L700)

In first ngx_parse_url() call, u->url.data ip address will successfully add
to u->addrs array,
and u->naddrs will  be increased to 1. And then  the second
call ngx_parse_url(),
u->url.data ip address add to u->addrs array, Because of in first call
n->naddrs was
increased to 1, so this time our update ip address will add to
u->addrs[1],  but u->addrs
array were allocated 1 * sizeof(ngx_addr_t).

src/core/ngx_inet.c#L1275  u->addrs = ngx_palloc(pool, total * nports *
sizeof(ngx_addr_t));

So the second time I call this function will cause memory error, and it may
even make the program crashes.

In order to avoid this bug, We need to check index of u->addrs.
Could you help me check where there is a problem? Thanks!

# HG changeset patch
# User Jun Ouyang <ouyangjun1999 at gmail.com>
# Date 1609070041 -28800
#      Sun Dec 27 19:54:01 2020 +0800
# Node ID 978ff553691d3fec538586cfa88e1e2b9858d4b5
# Parent  82228f955153527fba12211f52bf102c90f38dfb
Multiple call ngx_parse_url add addr to addrs array cause index out of
bounds bug

diff -r 82228f955153 -r 978ff553691d src/core/ngx_inet.c
--- a/src/core/ngx_inet.c       Tue Dec 15 17:41:39 2020 +0300
+++ b/src/core/ngx_inet.c       Sun Dec 27 19:54:01 2020 +0800
@@ -1278,6 +1278,10 @@
        }
    }

+    if (u->naddrs == nports * total) {
+        u->naddrs = 0;
+    }
+
    for (i = 0; i < nports; i++) {
        sa = ngx_pcalloc(pool, socklen);
        if (sa == NULL) {

-- 
*GPG public key: 4A6D297E6F74638E4D5F8E99152AC7B5F7608B26*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20201227/275eb8e5/attachment.htm>

More information about the nginx-devel mailing list