Mercurial > hg > nginx
comparison src/event/ngx_event_accept.c @ 7408:8af6dceeb648 stable-1.14
Events: fixed handling zero-length client address.
On Linux recvmsg() syscall may return a zero-length client address when
receiving a datagram from an unbound unix datagram socket. It is usually
assumed that socket address has at least the sa_family member. Zero-length
socket address caused buffer over-read in functions which receive socket
address, for example ngx_sock_ntop(). Typically the over-read resulted in
unexpected socket family followed by session close. Now a fake socket address
is allocated instead of a zero-length client address.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Fri, 01 Jun 2018 16:53:02 +0300 |
| parents | fef61d26da39 |
| children | 52aacc8ddcc5 |
comparison
equal
deleted
inserted
replaced
| 7407:b1a166ab7f04 | 7408:8af6dceeb648 |
|---|---|
| 446 | 446 |
| 447 if (c->socklen > (socklen_t) sizeof(ngx_sockaddr_t)) { | 447 if (c->socklen > (socklen_t) sizeof(ngx_sockaddr_t)) { |
| 448 c->socklen = sizeof(ngx_sockaddr_t); | 448 c->socklen = sizeof(ngx_sockaddr_t); |
| 449 } | 449 } |
| 450 | 450 |
| 451 if (c->socklen == 0) { | |
| 452 | |
| 453 /* | |
| 454 * on Linux recvmsg() returns zero msg_namelen | |
| 455 * when receiving packets from unbound AF_UNIX sockets | |
| 456 */ | |
| 457 | |
| 458 c->socklen = sizeof(struct sockaddr); | |
| 459 ngx_memzero(&sa, sizeof(struct sockaddr)); | |
| 460 sa.sockaddr.sa_family = ls->sockaddr->sa_family; | |
| 461 } | |
| 462 | |
| 451 #if (NGX_STAT_STUB) | 463 #if (NGX_STAT_STUB) |
| 452 (void) ngx_atomic_fetch_add(ngx_stat_active, 1); | 464 (void) ngx_atomic_fetch_add(ngx_stat_active, 1); |
| 453 #endif | 465 #endif |
| 454 | 466 |
| 455 c->pool = ngx_create_pool(ls->pool_size, ev->log); | 467 c->pool = ngx_create_pool(ls->pool_size, ev->log); |