Mercurial > hg > nginx-quic
view src/os/win32/ngx_socket.h @ 7054:e02555553d0b
Range filter: protect from total size overflows.
The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check). These can result in the following errors in logs:
[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)
When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.
In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer. This never happens with standard nginx modules
though, as well as known 3rd party modules.
Fix is to properly protect from possible overflow when incrementing size.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 11 Jul 2017 16:06:23 +0300 |
| parents | 2a621245f4cf |
| children | 4089b3d2cb59 |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_SOCKET_H_INCLUDED_ #define _NGX_SOCKET_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #define NGX_WRITE_SHUTDOWN SD_SEND typedef SOCKET ngx_socket_t; typedef int socklen_t; #define ngx_socket(af, type, proto) \ WSASocketW(af, type, proto, NULL, 0, WSA_FLAG_OVERLAPPED) #define ngx_socket_n "WSASocketW()" int ngx_nonblocking(ngx_socket_t s); int ngx_blocking(ngx_socket_t s); #define ngx_nonblocking_n "ioctlsocket(FIONBIO)" #define ngx_blocking_n "ioctlsocket(!FIONBIO)" #define ngx_shutdown_socket shutdown #define ngx_shutdown_socket_n "shutdown()" #define ngx_close_socket closesocket #define ngx_close_socket_n "closesocket()" #ifndef WSAID_ACCEPTEX typedef BOOL (PASCAL FAR * LPFN_ACCEPTEX)( IN SOCKET sListenSocket, IN SOCKET sAcceptSocket, IN PVOID lpOutputBuffer, IN DWORD dwReceiveDataLength, IN DWORD dwLocalAddressLength, IN DWORD dwRemoteAddressLength, OUT LPDWORD lpdwBytesReceived, IN LPOVERLAPPED lpOverlapped ); #define WSAID_ACCEPTEX \ {0xb5367df1,0xcbac,0x11cf,{0x95,0xca,0x00,0x80,0x5f,0x48,0xa1,0x92}} #endif #ifndef WSAID_GETACCEPTEXSOCKADDRS typedef VOID (PASCAL FAR * LPFN_GETACCEPTEXSOCKADDRS)( IN PVOID lpOutputBuffer, IN DWORD dwReceiveDataLength, IN DWORD dwLocalAddressLength, IN DWORD dwRemoteAddressLength, OUT struct sockaddr **LocalSockaddr, OUT LPINT LocalSockaddrLength, OUT struct sockaddr **RemoteSockaddr, OUT LPINT RemoteSockaddrLength ); #define WSAID_GETACCEPTEXSOCKADDRS \ {0xb5367df2,0xcbac,0x11cf,{0x95,0xca,0x00,0x80,0x5f,0x48,0xa1,0x92}} #endif #ifndef WSAID_TRANSMITFILE #ifndef TF_DISCONNECT #define TF_DISCONNECT 1 #define TF_REUSE_SOCKET 2 #define TF_WRITE_BEHIND 4 #define TF_USE_DEFAULT_WORKER 0 #define TF_USE_SYSTEM_THREAD 16 #define TF_USE_KERNEL_APC 32 typedef struct _TRANSMIT_FILE_BUFFERS { LPVOID Head; DWORD HeadLength; LPVOID Tail; DWORD TailLength; } TRANSMIT_FILE_BUFFERS, *PTRANSMIT_FILE_BUFFERS, FAR *LPTRANSMIT_FILE_BUFFERS; #endif typedef BOOL (PASCAL FAR * LPFN_TRANSMITFILE)( IN SOCKET hSocket, IN HANDLE hFile, IN DWORD nNumberOfBytesToWrite, IN DWORD nNumberOfBytesPerSend, IN LPOVERLAPPED lpOverlapped, IN LPTRANSMIT_FILE_BUFFERS lpTransmitBuffers, IN DWORD dwReserved ); #define WSAID_TRANSMITFILE \ {0xb5367df0,0xcbac,0x11cf,{0x95,0xca,0x00,0x80,0x5f,0x48,0xa1,0x92}} #endif #ifndef WSAID_TRANSMITPACKETS /* OpenWatcom has a swapped TP_ELEMENT_FILE and TP_ELEMENT_MEMORY definition */ #ifndef TP_ELEMENT_FILE #ifdef _MSC_VER #pragma warning(disable:4201) /* Nonstandard extension, nameless struct/union */ #endif typedef struct _TRANSMIT_PACKETS_ELEMENT { ULONG dwElFlags; #define TP_ELEMENT_MEMORY 1 #define TP_ELEMENT_FILE 2 #define TP_ELEMENT_EOP 4 ULONG cLength; union { struct { LARGE_INTEGER nFileOffset; HANDLE hFile; }; PVOID pBuffer; }; } TRANSMIT_PACKETS_ELEMENT, *PTRANSMIT_PACKETS_ELEMENT, FAR *LPTRANSMIT_PACKETS_ELEMENT; #ifdef _MSC_VER #pragma warning(default:4201) #endif #endif typedef BOOL (PASCAL FAR * LPFN_TRANSMITPACKETS) ( SOCKET hSocket, TRANSMIT_PACKETS_ELEMENT *lpPacketArray, DWORD nElementCount, DWORD nSendSize, LPOVERLAPPED lpOverlapped, DWORD dwFlags ); #define WSAID_TRANSMITPACKETS \ {0xd9689da0,0x1f90,0x11d3,{0x99,0x71,0x00,0xc0,0x4f,0x68,0xc8,0x76}} #endif #ifndef WSAID_CONNECTEX typedef BOOL (PASCAL FAR * LPFN_CONNECTEX) ( IN SOCKET s, IN const struct sockaddr FAR *name, IN int namelen, IN PVOID lpSendBuffer OPTIONAL, IN DWORD dwSendDataLength, OUT LPDWORD lpdwBytesSent, IN LPOVERLAPPED lpOverlapped ); #define WSAID_CONNECTEX \ {0x25a207b9,0xddf3,0x4660,{0x8e,0xe9,0x76,0xe5,0x8c,0x74,0x06,0x3e}} #endif #ifndef WSAID_DISCONNECTEX typedef BOOL (PASCAL FAR * LPFN_DISCONNECTEX) ( IN SOCKET s, IN LPOVERLAPPED lpOverlapped, IN DWORD dwFlags, IN DWORD dwReserved ); #define WSAID_DISCONNECTEX \ {0x7fda2e11,0x8630,0x436f,{0xa0,0x31,0xf5,0x36,0xa6,0xee,0xc1,0x57}} #endif extern LPFN_ACCEPTEX ngx_acceptex; extern LPFN_GETACCEPTEXSOCKADDRS ngx_getacceptexsockaddrs; extern LPFN_TRANSMITFILE ngx_transmitfile; extern LPFN_TRANSMITPACKETS ngx_transmitpackets; extern LPFN_CONNECTEX ngx_connectex; extern LPFN_DISCONNECTEX ngx_disconnectex; int ngx_tcp_push(ngx_socket_t s); #define ngx_tcp_push_n "tcp_push()" #endif /* _NGX_SOCKET_H_INCLUDED_ */