[PATCH 2 of 2] Stream: do not reallocate a parsed SNI host

Sergey Kandaurov pluknet at nginx.com
Thu Jun 6 14:32:21 UTC 2024 

On Thu, May 30, 2024 at 08:48:07PM +0400, Roman Arutyunyan wrote:
> Hi,
> 
> On Mon, May 27, 2024 at 02:21:44PM +0400, Sergey Kandaurov wrote:
> > # HG changeset patch
> > # User Sergey Kandaurov <pluknet at nginx.com>
> > # Date 1716805288 -14400
> > #      Mon May 27 14:21:28 2024 +0400
> > # Node ID 88fa18a0f05f7dead38a127bb24e5cf861f3d66d
> > # Parent  e82a7318ed48fdbc1273771bc96357e9dc232975
> > Stream: do not reallocate a parsed SNI host.
> > 
> > Unlike in http SNI callback, it doesn't need to be saved here.
> > 
> > diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
> > --- a/src/stream/ngx_stream_ssl_module.c
> > +++ b/src/stream/ngx_stream_ssl_module.c
> > @@ -501,7 +501,7 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t
> >  
> >      host.data = (u_char *) servername;
> >  
> > -    rc = ngx_stream_validate_host(&host, c->pool, 1);
> > +    rc = ngx_stream_validate_host(&host, c->pool, 0);
> >  
> >      if (rc == NGX_ERROR) {
> >          goto error;
> 
> While it's true the host variable is only used within this function, its
> content can be referenced by session after exiting it.  And that's why we
> should keep the reallocation here.
> 
> ngx_stream_find_virtual_server() calls ngx_stream_regex_exec() for server
> name regex, which can save references to parts of the host in capture variables.
> 

Indeed, this created unreferenced memory access.  Even though the passed
pointer appears to be valid until SSL shutdown, which follows stream log
handler, it's best to avoid.

# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1717681574 -14400
#      Thu Jun 06 17:46:14 2024 +0400
# Node ID 8a7d0ff7b75c664ddef2f985899612ef79643a59
# Parent  89277aea013e649cb2dfcb9621ce06e544ab1c31
Stream ssl_preread: do not reallocate a parsed SNI host.

We own this memory from the session pool.

diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -519,7 +519,7 @@ ngx_stream_ssl_preread_servername(ngx_st
 
     host = *servername;
 
-    rc = ngx_stream_validate_host(&host, c->pool, 1);
+    rc = ngx_stream_validate_host(&host, c->pool, 0);
 
     if (rc == NGX_ERROR) {
         return NGX_ERROR;

More information about the nginx-devel mailing list