Mercurial > hg > nginx

comparison src/http/ngx_http_write_filter_module.c @ 7401:a7ff19afbb14

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Negative size buffers detection. In the past, there were several security issues which resulted in worker process memory disclosure due to buffers with negative size. It looks reasonable to check for such buffers in various places, much like we already check for zero size buffers. While here, removed "#if 1 / #endif" around zero size buffer checks. It looks highly unlikely that we'll disable these checks anytime soon.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 26 Nov 2018 18:29:56 +0300
parents f01ab2dbcfdc
children c19ca381b2e6
comparison
equal deleted inserted replaced
7400:be5cb9c67c05 7401:a7ff19afbb14
78 cl->buf->start, cl->buf->pos, 78 cl->buf->start, cl->buf->pos,
79 cl->buf->last - cl->buf->pos, 79 cl->buf->last - cl->buf->pos,
80 cl->buf->file_pos, 80 cl->buf->file_pos,
81 cl->buf->file_last - cl->buf->file_pos); 81 cl->buf->file_last - cl->buf->file_pos);
82 82
83 #if 1
84 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { 83 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) {
85 ngx_log_error(NGX_LOG_ALERT, c->log, 0, 84 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
86 "zero size buf in writer " 85 "zero size buf in writer "
87 "t:%d r:%d f:%d %p %p-%p %p %O-%O", 86 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
88 cl->buf->temporary, 87 cl->buf->temporary,
96 cl->buf->file_last); 95 cl->buf->file_last);
97 96
98 ngx_debug_point(); 97 ngx_debug_point();
99 return NGX_ERROR; 98 return NGX_ERROR;
100 } 99 }
101 #endif 100
101 if (ngx_buf_size(cl->buf) < 0) {
102 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
103 "negative size buf in writer "
104 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
105 cl->buf->temporary,
106 cl->buf->recycled,
107 cl->buf->in_file,
108 cl->buf->start,
109 cl->buf->pos,
110 cl->buf->last,
111 cl->buf->file,
112 cl->buf->file_pos,
113 cl->buf->file_last);
114
115 ngx_debug_point();
116 return NGX_ERROR;
117 }
102 118
103 size += ngx_buf_size(cl->buf); 119 size += ngx_buf_size(cl->buf);
104 120
105 if (cl->buf->flush || cl->buf->recycled) { 121 if (cl->buf->flush || cl->buf->recycled) {
106 flush = 1; 122 flush = 1;
134 cl->buf->start, cl->buf->pos, 150 cl->buf->start, cl->buf->pos,
135 cl->buf->last - cl->buf->pos, 151 cl->buf->last - cl->buf->pos,
136 cl->buf->file_pos, 152 cl->buf->file_pos,
137 cl->buf->file_last - cl->buf->file_pos); 153 cl->buf->file_last - cl->buf->file_pos);
138 154
139 #if 1
140 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { 155 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) {
141 ngx_log_error(NGX_LOG_ALERT, c->log, 0, 156 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
142 "zero size buf in writer " 157 "zero size buf in writer "
143 "t:%d r:%d f:%d %p %p-%p %p %O-%O", 158 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
144 cl->buf->temporary, 159 cl->buf->temporary,
152 cl->buf->file_last); 167 cl->buf->file_last);
153 168
154 ngx_debug_point(); 169 ngx_debug_point();
155 return NGX_ERROR; 170 return NGX_ERROR;
156 } 171 }
157 #endif 172
173 if (ngx_buf_size(cl->buf) < 0) {
174 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
175 "negative size buf in writer "
176 "t:%d r:%d f:%d %p %p-%p %p %O-%O",
177 cl->buf->temporary,
178 cl->buf->recycled,
179 cl->buf->in_file,
180 cl->buf->start,
181 cl->buf->pos,
182 cl->buf->last,
183 cl->buf->file,
184 cl->buf->file_pos,
185 cl->buf->file_last);
186
187 ngx_debug_point();
188 return NGX_ERROR;
189 }
158 190
159 size += ngx_buf_size(cl->buf); 191 size += ngx_buf_size(cl->buf);
160 192
161 if (cl->buf->flush || cl->buf->recycled) { 193 if (cl->buf->flush || cl->buf->recycled) {
162 flush = 1; 194 flush = 1;