details: http://hg.nginx.org/nginx/rev/d0b897c0bb5b branches: changeset: 7283:d0b897c0bb5b user: Roman Arutyunyan <a...@nginx.com> date: Fri Jun 01 16:53:02 2018 +0300 description: Events: fixed handling zero-length client address.
On Linux recvmsg() syscall may return a zero-length client address when receiving a datagram from an unbound unix datagram socket. It is usually assumed that socket address has at least the sa_family member. Zero-length socket address caused buffer over-read in functions which receive socket address, for example ngx_sock_ntop(). Typically the over-read resulted in unexpected socket family followed by session close. Now a fake socket address is allocated instead of a zero-length client address. diffstat: src/event/ngx_event_accept.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diffs (22 lines): diff -r da9941c9b01b -r d0b897c0bb5b src/event/ngx_event_accept.c --- a/src/event/ngx_event_accept.c Mon Jun 04 18:47:54 2018 +0300 +++ b/src/event/ngx_event_accept.c Fri Jun 01 16:53:02 2018 +0300 @@ -448,6 +448,18 @@ ngx_event_recvmsg(ngx_event_t *ev) c->socklen = sizeof(ngx_sockaddr_t); } + if (c->socklen == 0) { + + /* + * on Linux recvmsg() returns zero msg_namelen + * when receiving packets from unbound AF_UNIX sockets + */ + + c->socklen = sizeof(struct sockaddr); + ngx_memzero(&sa, sizeof(struct sockaddr)); + sa.sockaddr.sa_family = ls->sockaddr->sa_family; + } + #if (NGX_STAT_STUB) (void) ngx_atomic_fetch_add(ngx_stat_active, 1); #endif _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel