[PATCH] Multiple call ngx_parse_url cause index out of bounds bug
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 29 17:26:42 UTC 2020
Hello!
On Sun, Dec 27, 2020 at 09:26:44PM +0800, Attenuation wrote:
> Hello, I found an array index out of bounds bug in ngx_inet_add_addr()
> function.
> In my case, I want to use ngx_parse_url(cf->pool, u) twice to update my
> address.
> Consider this situation, my twice function call argument u: u->url.data is
> string
> of ip address, and then, call trace is
>
> ngx_inet_add_addr (src/core/ngx_inet.c#L1274)
> ngx_parse_inet_url (src/core/ngx_inet.c#L968)
> ngx_parse_url (src/core/ngx_inet.c#L700)
>
> In first ngx_parse_url() call, u->url.data ip address will successfully add
> to u->addrs array,
> and u->naddrs will be increased to 1. And then the second
> call ngx_parse_url(),
> u->url.data ip address add to u->addrs array, Because of in first call
> n->naddrs was
> increased to 1, so this time our update ip address will add to
> u->addrs[1], but u->addrs
> array were allocated 1 * sizeof(ngx_addr_t).
>
> src/core/ngx_inet.c#L1275 u->addrs = ngx_palloc(pool, total * nports *
> sizeof(ngx_addr_t));
>
> So the second time I call this function will cause memory error, and it may
> even make the program crashes.
>
> In order to avoid this bug, We need to check index of u->addrs.
> Could you help me check where there is a problem? Thanks!
The ngx_parse_url() function expects the ngx_url_t structure to be
zeroed out, and with some input fields set, such as u.url and
u.default_port. Calling ngx_parse_url() with the ngx_url_t
structure not reinitialized after previous parsing is a bug.
That is, you should reconsider your code: if you want to reuse the
same ngx_url_t structure for multiple calls of ngx_parse_url(),
you have to reinitialize it before each call.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list