Mercurial > hg > nginx
view src/http/modules/ngx_http_empty_gif_module.c @ 7060:1adc6b0d5eaa stable-1.12
Range filter: protect from total size overflows.
The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check). These can result in the following errors in logs:
[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)
When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.
In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer. This never happens with standard nginx modules
though, as well as known 3rd party modules.
Fix is to properly protect from possible overflow when incrementing size.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 11 Jul 2017 16:06:23 +0300 |
| parents | d620f497c50f |
| children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_http.h> static char *ngx_http_empty_gif(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static ngx_command_t ngx_http_empty_gif_commands[] = { { ngx_string("empty_gif"), NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS, ngx_http_empty_gif, 0, 0, NULL }, ngx_null_command }; /* the minimal single pixel transparent GIF, 43 bytes */ static u_char ngx_empty_gif[] = { 'G', 'I', 'F', '8', '9', 'a', /* header */ /* logical screen descriptor */ 0x01, 0x00, /* logical screen width */ 0x01, 0x00, /* logical screen height */ 0x80, /* global 1-bit color table */ 0x01, /* background color #1 */ 0x00, /* no aspect ratio */ /* global color table */ 0x00, 0x00, 0x00, /* #0: black */ 0xff, 0xff, 0xff, /* #1: white */ /* graphic control extension */ 0x21, /* extension introducer */ 0xf9, /* graphic control label */ 0x04, /* block size */ 0x01, /* transparent color is given, */ /* no disposal specified, */ /* user input is not expected */ 0x00, 0x00, /* delay time */ 0x01, /* transparent color #1 */ 0x00, /* block terminator */ /* image descriptor */ 0x2c, /* image separator */ 0x00, 0x00, /* image left position */ 0x00, 0x00, /* image top position */ 0x01, 0x00, /* image width */ 0x01, 0x00, /* image height */ 0x00, /* no local color table, no interlaced */ /* table based image data */ 0x02, /* LZW minimum code size, */ /* must be at least 2-bit */ 0x02, /* block size */ 0x4c, 0x01, /* compressed bytes 01_001_100, 0000000_1 */ /* 100: clear code */ /* 001: 1 */ /* 101: end of information code */ 0x00, /* block terminator */ 0x3B /* trailer */ }; static ngx_http_module_t ngx_http_empty_gif_module_ctx = { NULL, /* preconfiguration */ NULL, /* postconfiguration */ NULL, /* create main configuration */ NULL, /* init main configuration */ NULL, /* create server configuration */ NULL, /* merge server configuration */ NULL, /* create location configuration */ NULL /* merge location configuration */ }; ngx_module_t ngx_http_empty_gif_module = { NGX_MODULE_V1, &ngx_http_empty_gif_module_ctx, /* module context */ ngx_http_empty_gif_commands, /* module directives */ NGX_HTTP_MODULE, /* module type */ NULL, /* init master */ NULL, /* init module */ NULL, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ NULL, /* exit process */ NULL, /* exit master */ NGX_MODULE_V1_PADDING }; static ngx_str_t ngx_http_gif_type = ngx_string("image/gif"); static ngx_int_t ngx_http_empty_gif_handler(ngx_http_request_t *r) { ngx_http_complex_value_t cv; if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD))) { return NGX_HTTP_NOT_ALLOWED; } ngx_memzero(&cv, sizeof(ngx_http_complex_value_t)); cv.value.len = sizeof(ngx_empty_gif); cv.value.data = ngx_empty_gif; r->headers_out.last_modified_time = 23349600; return ngx_http_send_response(r, NGX_HTTP_OK, &ngx_http_gif_type, &cv); } static char * ngx_http_empty_gif(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { ngx_http_core_loc_conf_t *clcf; clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module); clcf->handler = ngx_http_empty_gif_handler; return NGX_CONF_OK; }