Mercurial > hg > nginx
comparison src/http/ngx_http_write_filter_module.c @ 7401:a7ff19afbb14
Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.
While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 26 Nov 2018 18:29:56 +0300 |
parents | f01ab2dbcfdc |
children | c19ca381b2e6 |
comparison
equal
deleted
inserted
replaced
7400:be5cb9c67c05 | 7401:a7ff19afbb14 |
---|---|
78 cl->buf->start, cl->buf->pos, | 78 cl->buf->start, cl->buf->pos, |
79 cl->buf->last - cl->buf->pos, | 79 cl->buf->last - cl->buf->pos, |
80 cl->buf->file_pos, | 80 cl->buf->file_pos, |
81 cl->buf->file_last - cl->buf->file_pos); | 81 cl->buf->file_last - cl->buf->file_pos); |
82 | 82 |
83 #if 1 | |
84 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { | 83 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { |
85 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | 84 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
86 "zero size buf in writer " | 85 "zero size buf in writer " |
87 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 86 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
88 cl->buf->temporary, | 87 cl->buf->temporary, |
96 cl->buf->file_last); | 95 cl->buf->file_last); |
97 | 96 |
98 ngx_debug_point(); | 97 ngx_debug_point(); |
99 return NGX_ERROR; | 98 return NGX_ERROR; |
100 } | 99 } |
101 #endif | 100 |
101 if (ngx_buf_size(cl->buf) < 0) { | |
102 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
103 "negative size buf in writer " | |
104 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
105 cl->buf->temporary, | |
106 cl->buf->recycled, | |
107 cl->buf->in_file, | |
108 cl->buf->start, | |
109 cl->buf->pos, | |
110 cl->buf->last, | |
111 cl->buf->file, | |
112 cl->buf->file_pos, | |
113 cl->buf->file_last); | |
114 | |
115 ngx_debug_point(); | |
116 return NGX_ERROR; | |
117 } | |
102 | 118 |
103 size += ngx_buf_size(cl->buf); | 119 size += ngx_buf_size(cl->buf); |
104 | 120 |
105 if (cl->buf->flush || cl->buf->recycled) { | 121 if (cl->buf->flush || cl->buf->recycled) { |
106 flush = 1; | 122 flush = 1; |
134 cl->buf->start, cl->buf->pos, | 150 cl->buf->start, cl->buf->pos, |
135 cl->buf->last - cl->buf->pos, | 151 cl->buf->last - cl->buf->pos, |
136 cl->buf->file_pos, | 152 cl->buf->file_pos, |
137 cl->buf->file_last - cl->buf->file_pos); | 153 cl->buf->file_last - cl->buf->file_pos); |
138 | 154 |
139 #if 1 | |
140 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { | 155 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { |
141 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | 156 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
142 "zero size buf in writer " | 157 "zero size buf in writer " |
143 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 158 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
144 cl->buf->temporary, | 159 cl->buf->temporary, |
152 cl->buf->file_last); | 167 cl->buf->file_last); |
153 | 168 |
154 ngx_debug_point(); | 169 ngx_debug_point(); |
155 return NGX_ERROR; | 170 return NGX_ERROR; |
156 } | 171 } |
157 #endif | 172 |
173 if (ngx_buf_size(cl->buf) < 0) { | |
174 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
175 "negative size buf in writer " | |
176 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
177 cl->buf->temporary, | |
178 cl->buf->recycled, | |
179 cl->buf->in_file, | |
180 cl->buf->start, | |
181 cl->buf->pos, | |
182 cl->buf->last, | |
183 cl->buf->file, | |
184 cl->buf->file_pos, | |
185 cl->buf->file_last); | |
186 | |
187 ngx_debug_point(); | |
188 return NGX_ERROR; | |
189 } | |
158 | 190 |
159 size += ngx_buf_size(cl->buf); | 191 size += ngx_buf_size(cl->buf); |
160 | 192 |
161 if (cl->buf->flush || cl->buf->recycled) { | 193 if (cl->buf->flush || cl->buf->recycled) { |
162 flush = 1; | 194 flush = 1; |