Found vulnerability in ngx_http_push_stream_complex_value #314
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
您的信已收到,我将尽快给您答复
|
|
@StepanGulyaev thanks for the evaluation and contribution. Please, allow me a bit longer to review and merge due to the complexity of the change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello! I was analyzing your module with Svace SAST tool and found vulnerability in ngx_http_push_stream_complex_value. The problem is ngx_http_complex_value function return value not being checked:
nginx-push-stream-module/src/ngx_http_push_stream_module_utils.c
Line 2122 in b1c1a08
But it should because of this part in ngx_http_complex_value:
https://github.com/nginx/nginx/blob/d31305653701bd99e8e5e6aa48094599a08f9f12/src/http/ngx_http_script.c#L79-L90
If allocation with ngx_palloc fails and returns NULL, value->data will be NULL but value->len won`t be zero. So when we come back from ngx_http_complex_value and step into ngx_http_push_stream_unescape_uri we will see that this part of code relies only on value->len not being zero:
nginx-push-stream-module/src/ngx_http_push_stream_module_utils.c
Lines 2132 to 2140 in b1c1a08
But as I mentioned above there can be a situation where value->len is not zero but value->data is NULL. Dst and src values both became NULL and go as arguments into ngx_unescape_uri function which neither checks them being NULL.
https://github.com/nginx/nginx/blob/d31305653701bd99e8e5e6aa48094599a08f9f12/src/core/ngx_string.c#L1676-L1694
So there will be a crash right here, where "s" is dereferenced.
I've changed ngx_http_push_stream_complex_value in my pull request and made it return either NGX_ERROR or NGX_OK and have changed all places where it is being called also added logging where necessary.
It compiles well, haven't seen any trouble, and it passes 399 tests. It has two failures, one of them is "Measure Memory should check subscribers system size" (./spec/mix/measure_memory_spec.rb:105) but it happens also with current github version.
The only thing I found uniquely troublesome with my version is "Publisher Messages should expose message size through message template" test failed (./spec/publisher/publish_messages_spec.rb:333). It happens only when I test with my commits but I`m lacking experience with this module to trace it properly so my pull request should be modified a bit I guess. But I have no idea where.
Found by Linux Verification Center (linuxtesting.org) with SVACE.