diff options
author | Roman Arutyunyan <arut@nginx.com> | 2018-06-01 16:53:02 +0300 |
---|---|---|
committer | Roman Arutyunyan <arut@nginx.com> | 2018-06-01 16:53:02 +0300 |
commit | b1d88228ecb54140ec1f7d3f11f0fbb4d6ec5982 (patch) | |
tree | e592fc1670f03fa72da1a23188a848a45f6cc30c | |
parent | b0e5144c6d5096ad6220816854da4411a218f82c (diff) | |
download | nginx-b1d88228ecb54140ec1f7d3f11f0fbb4d6ec5982.tar.gz |
Events: fixed handling zero-length client address.
On Linux recvmsg() syscall may return a zero-length client address when
receiving a datagram from an unbound unix datagram socket. It is usually
assumed that socket address has at least the sa_family member. Zero-length
socket address caused buffer over-read in functions which receive socket
address, for example ngx_sock_ntop(). Typically the over-read resulted in
unexpected socket family followed by session close. Now a fake socket address
is allocated instead of a zero-length client address.
-rw-r--r-- | src/event/ngx_event_accept.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c index 775637090..7e9f742a0 100644 --- a/src/event/ngx_event_accept.c +++ b/src/event/ngx_event_accept.c @@ -448,6 +448,18 @@ ngx_event_recvmsg(ngx_event_t *ev) c->socklen = sizeof(ngx_sockaddr_t); } + if (c->socklen == 0) { + + /* + * on Linux recvmsg() returns zero msg_namelen + * when receiving packets from unbound AF_UNIX sockets + */ + + c->socklen = sizeof(struct sockaddr); + ngx_memzero(&sa, sizeof(struct sockaddr)); + sa.sockaddr.sa_family = ls->sockaddr->sa_family; + } + #if (NGX_STAT_STUB) (void) ngx_atomic_fetch_add(ngx_stat_active, 1); #endif |