[nginx] Geo: fixed uninitialized memory access.

Sergey Kandaurov pluknet at nginx.com
Wed Mar 27 17:46:26 UTC 2024 

details:   https://hg.nginx.org/nginx/rev/687c8306746f
branches:  
changeset: 9226:687c8306746f
user:      Piotr Sikora <piotr at aviatrix.com>
date:      Thu Mar 14 18:37:20 2024 +0400
description:
Geo: fixed uninitialized memory access.

While copying ngx_http_variable_value_t structures to geo binary base
in ngx_http_geo_copy_values(), and similarly in the stream module,
uninitialized parts of these structures are copied as well.  These
include the "escape" field and possible holes.  Calculating crc32 of
this data triggers uninitialized memory access.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotr at aviatrix.com>

diffstat:

 src/http/modules/ngx_http_geo_module.c |  4 +---
 src/stream/ngx_stream_geo_module.c     |  4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diffs (42 lines):

diff -r 96ff3f8b7e50 -r 687c8306746f src/http/modules/ngx_http_geo_module.c
--- a/src/http/modules/ngx_http_geo_module.c	Fri Mar 22 18:39:50 2024 +0400
+++ b/src/http/modules/ngx_http_geo_module.c	Thu Mar 14 18:37:20 2024 +0400
@@ -1259,7 +1259,7 @@ ngx_http_geo_value(ngx_conf_t *cf, ngx_h
         return gvvn->value;
     }
 
-    val = ngx_palloc(ctx->pool, sizeof(ngx_http_variable_value_t));
+    val = ngx_pcalloc(ctx->pool, sizeof(ngx_http_variable_value_t));
     if (val == NULL) {
         return NULL;
     }
@@ -1271,8 +1271,6 @@ ngx_http_geo_value(ngx_conf_t *cf, ngx_h
     }
 
     val->valid = 1;
-    val->no_cacheable = 0;
-    val->not_found = 0;
 
     gvvn = ngx_palloc(ctx->temp_pool,
                       sizeof(ngx_http_geo_variable_value_node_t));
diff -r 96ff3f8b7e50 -r 687c8306746f src/stream/ngx_stream_geo_module.c
--- a/src/stream/ngx_stream_geo_module.c	Fri Mar 22 18:39:50 2024 +0400
+++ b/src/stream/ngx_stream_geo_module.c	Thu Mar 14 18:37:20 2024 +0400
@@ -1209,7 +1209,7 @@ ngx_stream_geo_value(ngx_conf_t *cf, ngx
         return gvvn->value;
     }
 
-    val = ngx_palloc(ctx->pool, sizeof(ngx_stream_variable_value_t));
+    val = ngx_pcalloc(ctx->pool, sizeof(ngx_stream_variable_value_t));
     if (val == NULL) {
         return NULL;
     }
@@ -1221,8 +1221,6 @@ ngx_stream_geo_value(ngx_conf_t *cf, ngx
     }
 
     val->valid = 1;
-    val->no_cacheable = 0;
-    val->not_found = 0;
 
     gvvn = ngx_palloc(ctx->temp_pool,
                       sizeof(ngx_stream_geo_variable_value_node_t));

More information about the nginx-devel mailing list