Hi, When using $binary_remote_addr together with unix sockets (without using X-Real-Ip) there is a heap buffer overread of two bytes.
The problem is that we only allocate two bytes for c->sockaddr here http://hg.nginx.org/nginx/file/tip/src/event/ngx_event_accept.c#l167 but later on assume it to be of size four http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_variables.c#l1246 Now, one could argue that using remote addr and unix sockets without X-Real-Ip might not make sense but I still wanted to report it. Maybe it might make sense to issue a warning or something. The issue can be reproduced by compiling with address sanitizer and -DNGX_DEBUG_PALLOC and using something like the following config: daemon off; master_process off; events { worker_connections 1024; } error_log /dev/stdout debug; http { server { listen 8000; listen unix:/tmp/nginx.sock backlog=10000; server_name localhost; location / { proxy_pass http://unix:/tmp/nginx.sock:/foo; } location /foo { return 200 hello$binary_remote_addr; } } } Cheers, Stephan _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
