"nginx memory disclosure, patch it now before too late" by: ev1lut10n http://www.openwall.com/lists/oss-security/2012/03/15/5 this is a vulnerability found by Matthew Daley, the memory disclosure security problem exist on nginx 0.1.0-1.1.16 there's 5 files you need to patch at src/http/modules/ : ngx_http_fastcgi_module.c ngx_http_proxy_module.c ngx_http_scgi_module.c ngx_http_uwsgi_module.c at src/http/ : ngx_http_parse.c patch_ngx_http_parse : ========================== --- src/http/ngx_http_parse.c +++ src/http/ngx_http_parse.c @@ -874,6 +874,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -936,6 +940,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -954,6 +962,8 @@ ngx_http_parse_header_line(ngx_http_requ r->header_start = p; r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: r->header_start = p; state = sw_value; @@ -975,6 +985,8 @@ ngx_http_parse_header_line(ngx_http_requ case LF: r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; } break; @@ -988,6 +1000,8 @@ ngx_http_parse_header_line(ngx_http_requ break; case LF: goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: state = sw_value; break; ========================== patch_ngx_http_fastcgi_module: ====== --- src/http/modules/ngx_http_fastcgi_module.c +++ src/http/modules/ngx_http_fastcgi_module.c @@ -1501,10 +1501,10 @@ ngx_http_fastcgi_process_header(ngx_http h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, - h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, - h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; } h->hash = r->header_hash; ========= patch_ngx_http_proxy_module: ====== --- src/http/modules/ngx_http_proxy_module.c +++ src/http/modules/ngx_http_proxy_module.c @@ -1381,8 +1381,10 @@ ngx_http_proxy_process_header(ngx_http_r h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); ======== patch_ngx_http_scgi_module === --- src/http/modules/ngx_http_scgi_module.c +++ src/http/modules/ngx_http_scgi_module.c @@ -941,8 +941,10 @@ ngx_http_scgi_process_header(ngx_http_re h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); ========= patch_ngx_http_uwsgi_module: ============ --- src/http/modules/ngx_http_uwsgi_module.c +++ src/http/modules/ngx_http_uwsgi_module.c @@ -985,8 +985,10 @@ ngx_http_uwsgi_process_header(ngx_http_r h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); =========== apply the patch: ============ # ls ngx_http_access_module.c ngx_http_geo_module.c ngx_http_proxy_module.c.bak ngx_http_static_module.c ngx_http_addition_filter_module.c ngx_http_gzip_filter_module.c ngx_http_random_index_module.c ngx_http_stub_status_module.c ngx_http_auth_basic_module.c ngx_http_gzip_static_module.c ngx_http_range_filter_module.c ngx_http_sub_filter_module.c ngx_http_autoindex_module.c ngx_http_headers_filter_module.c ngx_http_realip_module.c ngx_http_upstream_ip_hash_module.c ngx_http_browser_module.c ngx_http_image_filter_module.c ngx_http_referer_module.c ngx_http_userid_filter_module.c ngx_http_charset_filter_module.c ngx_http_index_module.c ngx_http_rewrite_module.c ngx_http_uwsgi_module.c ngx_http_chunked_filter_module.c ngx_http_limit_req_module.c ngx_http_scgi_module.c ngx_http_uwsgi_module.c.bak ngx_http_dav_module.c ngx_http_limit_zone_module.c ngx_http_scgi_module.c.bak ngx_http_xslt_filter_module.c ngx_http_degradation_module.c ngx_http_log_module.c ngx_http_secure_link_module.c patch_ngx_http_fastcgi_module ngx_http_empty_gif_module.c ngx_http_map_module.c ngx_http_split_clients_module.c patch_ngx_http_proxy_module ngx_http_fastcgi_module.c ngx_http_memcached_module.c ngx_http_ssi_filter_module.c patch_ngx_http_scgi_module ngx_http_fastcgi_module.c.bak ngx_http_mp4_module.c ngx_http_ssi_filter_module.h patch_ngx_http_uwsgi_module ngx_http_flv_module.c ngx_http_not_modified_filter_module.c ngx_http_ssl_module.c perl ngx_http_geoip_module.c ngx_http_proxy_module.c ngx_http_ssl_module.h ============== apply the patches: ==== [root@godad modules]# patch < patch_ngx_http_fastcgi_module patching file ngx_http_fastcgi_module.c Hunk #1 succeeded at 1446 (offset -55 lines). [root@godad modules]# patch < patch_ngx_http_proxy_module patching file ngx_http_proxy_module.c Hunk #1 succeeded at 1278 (offset -103 lines). [root@godad modules]# patch < patch_ngx_http_scgi_module patching file ngx_http_scgi_module.c Hunk #1 succeeded at 894 (offset -47 lines). [root@godad modules]# patch < patch_ngx_http_uwsgi_module patching file ngx_http_uwsgi_module.c Hunk #1 succeeded at 947 (offset -38 lines). [root@godad modules]# cd ..;patch