Maxim Dounin
2018-12-04 13:36:48 UTC
details: https://hg.nginx.org/nginx/rev/8af6dceeb648
branches: stable-1.14
changeset: 7408:8af6dceeb648
user: Roman Arutyunyan <***@nginx.com>
date: Fri Jun 01 16:53:02 2018 +0300
description:
Events: fixed handling zero-length client address.
On Linux recvmsg() syscall may return a zero-length client address when
receiving a datagram from an unbound unix datagram socket. It is usually
assumed that socket address has at least the sa_family member. Zero-length
socket address caused buffer over-read in functions which receive socket
address, for example ngx_sock_ntop(). Typically the over-read resulted in
unexpected socket family followed by session close. Now a fake socket address
is allocated instead of a zero-length client address.
diffstat:
src/event/ngx_event_accept.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diffs (22 lines):
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -448,6 +448,18 @@ ngx_event_recvmsg(ngx_event_t *ev)
c->socklen = sizeof(ngx_sockaddr_t);
}
+ if (c->socklen == 0) {
+
+ /*
+ * on Linux recvmsg() returns zero msg_namelen
+ * when receiving packets from unbound AF_UNIX sockets
+ */
+
+ c->socklen = sizeof(struct sockaddr);
+ ngx_memzero(&sa, sizeof(struct sockaddr));
+ sa.sockaddr.sa_family = ls->sockaddr->sa_family;
+ }
+
#if (NGX_STAT_STUB)
(void) ngx_atomic_fetch_add(ngx_stat_active, 1);
#endif
branches: stable-1.14
changeset: 7408:8af6dceeb648
user: Roman Arutyunyan <***@nginx.com>
date: Fri Jun 01 16:53:02 2018 +0300
description:
Events: fixed handling zero-length client address.
On Linux recvmsg() syscall may return a zero-length client address when
receiving a datagram from an unbound unix datagram socket. It is usually
assumed that socket address has at least the sa_family member. Zero-length
socket address caused buffer over-read in functions which receive socket
address, for example ngx_sock_ntop(). Typically the over-read resulted in
unexpected socket family followed by session close. Now a fake socket address
is allocated instead of a zero-length client address.
diffstat:
src/event/ngx_event_accept.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diffs (22 lines):
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -448,6 +448,18 @@ ngx_event_recvmsg(ngx_event_t *ev)
c->socklen = sizeof(ngx_sockaddr_t);
}
+ if (c->socklen == 0) {
+
+ /*
+ * on Linux recvmsg() returns zero msg_namelen
+ * when receiving packets from unbound AF_UNIX sockets
+ */
+
+ c->socklen = sizeof(struct sockaddr);
+ ngx_memzero(&sa, sizeof(struct sockaddr));
+ sa.sockaddr.sa_family = ls->sockaddr->sa_family;
+ }
+
#if (NGX_STAT_STUB)
(void) ngx_atomic_fetch_add(ngx_stat_active, 1);
#endif