Mercurial > hg > nginx
comparison src/stream/ngx_stream_write_filter_module.c @ 7401:a7ff19afbb14
Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.
While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 26 Nov 2018 18:29:56 +0300 |
parents | 56fc55e32f23 |
children | d127837c714f |
comparison
equal
deleted
inserted
replaced
7400:be5cb9c67c05 | 7401:a7ff19afbb14 |
---|---|
102 cl->buf->start, cl->buf->pos, | 102 cl->buf->start, cl->buf->pos, |
103 cl->buf->last - cl->buf->pos, | 103 cl->buf->last - cl->buf->pos, |
104 cl->buf->file_pos, | 104 cl->buf->file_pos, |
105 cl->buf->file_last - cl->buf->file_pos); | 105 cl->buf->file_last - cl->buf->file_pos); |
106 | 106 |
107 #if 1 | |
108 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { | 107 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { |
109 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | 108 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
110 "zero size buf in writer " | 109 "zero size buf in writer " |
111 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 110 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
112 cl->buf->temporary, | 111 cl->buf->temporary, |
120 cl->buf->file_last); | 119 cl->buf->file_last); |
121 | 120 |
122 ngx_debug_point(); | 121 ngx_debug_point(); |
123 return NGX_ERROR; | 122 return NGX_ERROR; |
124 } | 123 } |
125 #endif | 124 |
125 if (ngx_buf_size(cl->buf) < 0) { | |
126 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
127 "negative size buf in writer " | |
128 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
129 cl->buf->temporary, | |
130 cl->buf->recycled, | |
131 cl->buf->in_file, | |
132 cl->buf->start, | |
133 cl->buf->pos, | |
134 cl->buf->last, | |
135 cl->buf->file, | |
136 cl->buf->file_pos, | |
137 cl->buf->file_last); | |
138 | |
139 ngx_debug_point(); | |
140 return NGX_ERROR; | |
141 } | |
126 | 142 |
127 size += ngx_buf_size(cl->buf); | 143 size += ngx_buf_size(cl->buf); |
128 | 144 |
129 if (cl->buf->flush || cl->buf->recycled) { | 145 if (cl->buf->flush || cl->buf->recycled) { |
130 flush = 1; | 146 flush = 1; |
158 cl->buf->start, cl->buf->pos, | 174 cl->buf->start, cl->buf->pos, |
159 cl->buf->last - cl->buf->pos, | 175 cl->buf->last - cl->buf->pos, |
160 cl->buf->file_pos, | 176 cl->buf->file_pos, |
161 cl->buf->file_last - cl->buf->file_pos); | 177 cl->buf->file_last - cl->buf->file_pos); |
162 | 178 |
163 #if 1 | |
164 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { | 179 if (ngx_buf_size(cl->buf) == 0 && !ngx_buf_special(cl->buf)) { |
165 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | 180 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
166 "zero size buf in writer " | 181 "zero size buf in writer " |
167 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | 182 "t:%d r:%d f:%d %p %p-%p %p %O-%O", |
168 cl->buf->temporary, | 183 cl->buf->temporary, |
176 cl->buf->file_last); | 191 cl->buf->file_last); |
177 | 192 |
178 ngx_debug_point(); | 193 ngx_debug_point(); |
179 return NGX_ERROR; | 194 return NGX_ERROR; |
180 } | 195 } |
181 #endif | 196 |
197 if (ngx_buf_size(cl->buf) < 0) { | |
198 ngx_log_error(NGX_LOG_ALERT, c->log, 0, | |
199 "negative size buf in writer " | |
200 "t:%d r:%d f:%d %p %p-%p %p %O-%O", | |
201 cl->buf->temporary, | |
202 cl->buf->recycled, | |
203 cl->buf->in_file, | |
204 cl->buf->start, | |
205 cl->buf->pos, | |
206 cl->buf->last, | |
207 cl->buf->file, | |
208 cl->buf->file_pos, | |
209 cl->buf->file_last); | |
210 | |
211 ngx_debug_point(); | |
212 return NGX_ERROR; | |
213 } | |
182 | 214 |
183 size += ngx_buf_size(cl->buf); | 215 size += ngx_buf_size(cl->buf); |
184 | 216 |
185 if (cl->buf->flush || cl->buf->recycled) { | 217 if (cl->buf->flush || cl->buf->recycled) { |
186 flush = 1; | 218 flush = 1; |