Mercurial > hg > nginx-quic
comparison src/core/ngx_output_chain.c @ 7401:a7ff19afbb14
Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.
While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 26 Nov 2018 18:29:56 +0300 |
parents | 4395758d08e6 |
children | 862f6130d357 |
comparison
equal
deleted
inserted
replaced
7400:be5cb9c67c05 | 7401:a7ff19afbb14 |
---|---|
124 ctx->in = ctx->in->next; | 124 ctx->in = ctx->in->next; |
125 | 125 |
126 continue; | 126 continue; |
127 } | 127 } |
128 | 128 |
129 if (bsize < 0) { | |
130 | |
131 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, | |
132 "negative size buf in output " | |
133 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
134 ctx->in->buf->temporary, | |
135 ctx->in->buf->recycled, | |
136 ctx->in->buf->in_file, | |
137 ctx->in->buf->start, | |
138 ctx->in->buf->pos, | |
139 ctx->in->buf->last, | |
140 ctx->in->buf->file, | |
141 ctx->in->buf->file_pos, | |
142 ctx->in->buf->file_last); | |
143 | |
144 ngx_debug_point(); | |
145 | |
146 return NGX_ERROR; | |
147 } | |
148 | |
129 if (ngx_output_chain_as_is(ctx, ctx->in->buf)) { | 149 if (ngx_output_chain_as_is(ctx, ctx->in->buf)) { |
130 | 150 |
131 /* move the chain link to the output chain */ | 151 /* move the chain link to the output chain */ |
132 | 152 |
133 cl = ctx->in; | 153 cl = ctx->in; |
663 | 683 |
664 c = ctx->connection; | 684 c = ctx->connection; |
665 | 685 |
666 for (size = 0; in; in = in->next) { | 686 for (size = 0; in; in = in->next) { |
667 | 687 |
668 #if 1 | |
669 if (ngx_buf_size(in->buf) == 0 && !ngx_buf_special(in->buf)) { | 688 if (ngx_buf_size(in->buf) == 0 && !ngx_buf_special(in->buf)) { |
670 | 689 |
671 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, | 690 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, |
672 "zero size buf in chain writer " | 691 "zero size buf in chain writer " |
673 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 692 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
683 | 702 |
684 ngx_debug_point(); | 703 ngx_debug_point(); |
685 | 704 |
686 continue; | 705 continue; |
687 } | 706 } |
688 #endif | 707 |
708 if (ngx_buf_size(in->buf) < 0) { | |
709 | |
710 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, | |
711 "negative size buf in chain writer " | |
712 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
713 in->buf->temporary, | |
714 in->buf->recycled, | |
715 in->buf->in_file, | |
716 in->buf->start, | |
717 in->buf->pos, | |
718 in->buf->last, | |
719 in->buf->file, | |
720 in->buf->file_pos, | |
721 in->buf->file_last); | |
722 | |
723 ngx_debug_point(); | |
724 | |
725 return NGX_ERROR; | |
726 } | |
689 | 727 |
690 size += ngx_buf_size(in->buf); | 728 size += ngx_buf_size(in->buf); |
691 | 729 |
692 ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0, | 730 ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0, |
693 "chain writer buf fl:%d s:%uO", | 731 "chain writer buf fl:%d s:%uO", |
707 ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, | 745 ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, |
708 "chain writer in: %p", ctx->out); | 746 "chain writer in: %p", ctx->out); |
709 | 747 |
710 for (cl = ctx->out; cl; cl = cl->next) { | 748 for (cl = ctx->out; cl; cl = cl->next) { |
711 | 749 |
712 #if 1 | |
713 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { | 750 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { |
714 | 751 |
715 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, | 752 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, |
716 "zero size buf in chain writer " | 753 "zero size buf in chain writer " |
717 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 754 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
727 | 764 |
728 ngx_debug_point(); | 765 ngx_debug_point(); |
729 | 766 |
730 continue; | 767 continue; |
731 } | 768 } |
732 #endif | 769 |
770 if (ngx_buf_size(cl->buf) < 0) { | |
771 | |
772 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, | |
773 "negative size buf in chain writer " | |
774 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
775 cl->buf->temporary, | |
776 cl->buf->recycled, | |
777 cl->buf->in_file, | |
778 cl->buf->start, | |
779 cl->buf->pos, | |
780 cl->buf->last, | |
781 cl->buf->file, | |
782 cl->buf->file_pos, | |
783 cl->buf->file_last); | |
784 | |
785 ngx_debug_point(); | |
786 | |
787 return NGX_ERROR; | |
788 } | |
733 | 789 |
734 size += ngx_buf_size(cl->buf); | 790 size += ngx_buf_size(cl->buf); |
735 } | 791 } |
736 | 792 |
737 if (size == 0 && !c->buffered) { | 793 if (size == 0 && !c->buffered) { |