Mercurial > hg > nginx

comparison src/core/ngx_output_chain.c @ 7401:a7ff19afbb14

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Negative size buffers detection. In the past, there were several security issues which resulted in worker process memory disclosure due to buffers with negative size. It looks reasonable to check for such buffers in various places, much like we already check for zero size buffers. While here, removed "#if 1 / #endif" around zero size buffer checks. It looks highly unlikely that we'll disable these checks anytime soon.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 26 Nov 2018 18:29:56 +0300
parents 4395758d08e6
children 862f6130d357
comparison
equal deleted inserted replaced
7400:be5cb9c67c05 7401:a7ff19afbb14
124 ctx->in = ctx->in->next; 124 ctx->in = ctx->in->next;
125 125
126 continue; 126 continue;
127 } 127 }
128 128
129 if (bsize < 0) {
130
131 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0,
132 "negative size buf in output "
133 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
134 ctx->in->buf->temporary,
135 ctx->in->buf->recycled,
136 ctx->in->buf->in_file,
137 ctx->in->buf->start,
138 ctx->in->buf->pos,
139 ctx->in->buf->last,
140 ctx->in->buf->file,
141 ctx->in->buf->file_pos,
142 ctx->in->buf->file_last);
143
144 ngx_debug_point();
145
146 return NGX_ERROR;
147 }
148
129 if (ngx_output_chain_as_is(ctx, ctx->in->buf)) { 149 if (ngx_output_chain_as_is(ctx, ctx->in->buf)) {
130 150
131 /* move the chain link to the output chain */ 151 /* move the chain link to the output chain */
132 152
133 cl = ctx->in; 153 cl = ctx->in;
663 683
664 c = ctx->connection; 684 c = ctx->connection;
665 685
666 for (size = 0; in; in = in->next) { 686 for (size = 0; in; in = in->next) {
667 687
668 #if 1
669 if (ngx_buf_size(in->buf) == 0 && !ngx_buf_special(in->buf)) { 688 if (ngx_buf_size(in->buf) == 0 && !ngx_buf_special(in->buf)) {
670 689
671 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, 690 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0,
672 "zero size buf in chain writer " 691 "zero size buf in chain writer "
673 "t:%d r:%d f:%d %p %p-%p %p %O-%O", 692 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
683 702
684 ngx_debug_point(); 703 ngx_debug_point();
685 704
686 continue; 705 continue;
687 } 706 }
688 #endif 707
708 if (ngx_buf_size(in->buf) < 0) {
709
710 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0,
711 "negative size buf in chain writer "
712 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
713 in->buf->temporary,
714 in->buf->recycled,
715 in->buf->in_file,
716 in->buf->start,
717 in->buf->pos,
718 in->buf->last,
719 in->buf->file,
720 in->buf->file_pos,
721 in->buf->file_last);
722
723 ngx_debug_point();
724
725 return NGX_ERROR;
726 }
689 727
690 size += ngx_buf_size(in->buf); 728 size += ngx_buf_size(in->buf);
691 729
692 ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0, 730 ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0,
693 "chain writer buf fl:%d s:%uO", 731 "chain writer buf fl:%d s:%uO",
707 ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, 745 ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0,
708 "chain writer in: %p", ctx->out); 746 "chain writer in: %p", ctx->out);
709 747
710 for (cl = ctx->out; cl; cl = cl->next) { 748 for (cl = ctx->out; cl; cl = cl->next) {
711 749
712 #if 1
713 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { 750 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) {
714 751
715 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0, 752 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0,
716 "zero size buf in chain writer " 753 "zero size buf in chain writer "
717 "t:%d r:%d f:%d %p %p-%p %p %O-%O", 754 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
727 764
728 ngx_debug_point(); 765 ngx_debug_point();
729 766
730 continue; 767 continue;
731 } 768 }
732 #endif 769
770 if (ngx_buf_size(cl->buf) < 0) {
771
772 ngx_log_error(NGX_LOG_ALERT, ctx->pool->log, 0,
773 "negative size buf in chain writer "
774 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
775 cl->buf->temporary,
776 cl->buf->recycled,
777 cl->buf->in_file,
778 cl->buf->start,
779 cl->buf->pos,
780 cl->buf->last,
781 cl->buf->file,
782 cl->buf->file_pos,
783 cl->buf->file_last);
784
785 ngx_debug_point();
786
787 return NGX_ERROR;
788 }
733 789
734 size += ngx_buf_size(cl->buf); 790 size += ngx_buf_size(cl->buf);
735 } 791 }
736 792
737 if (size == 0 && !c->buffered) { 793 if (size == 0 && !c->buffered) {