BUGTRAQ ID: 59496
nginx是HTTP及反向代理服务器,同时也用作邮件代理服务器,由Igor Sysoev编写。
nginx在实现上存在远程整数溢出漏洞,当 r->count 小于0或大于255时,Nginx
ngx_http_close_connection函数会存在整数溢出错误,远程攻击者通过恶意http请求利用此漏洞,可能在应用上下文中执行任意代码。
0
Igor Sysoev nginx 1.1.19
Igor Sysoev nginx 1.1.17
Igor Sysoev nginx 1.0.9
Igor Sysoev nginx 1.0.8
Igor Sysoev nginx 1.0.15
Igor Sysoev nginx 1.0.14
Igor Sysoev nginx 1.0.10
临时解决方法:
在官方发布针对此问题的更新之前,建议您安装如下补丁:
来自 http://pastie.org/private/vrocsopzemghn4y5dlg8q
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 9f63143..807cbc0 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1986,7 +1986,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r,
if (r == c->data) {
- r->main->count--;
+ if (r->main->count > 0)
+ r->main->count--;
if (!r->logged) {
@@ -2022,7 +2023,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r,
}
if (ngx_http_post_request(pr, NULL) != NGX_OK) {
- r->main->count++;
+ if (r->main->count < 255)
+ r->main->count++;
ngx_http_terminate_request(r, 0);
return;
}
@@ -2911,7 +2913,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r,
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"post action: \"%V\"", &clcf->post_action);
- r->main->count--;
+ if (r->main->count > 0)
+ r->main->count--;
r->http_version = NGX_HTTP_VERSION_9;
r->header_only = 1;
@@ -2945,7 +2948,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r,
ngx_log_error(NGX_LOG_ALERT, c->log, 0, "http request count is zero");
}
- r->count--;
+ if (r->count > 0)
+ r->count--;
if (r->count || r->blocked) {
return;
diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
index ac09d56..8ea33f4 100644
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -37,7 +37,8 @@ static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r,
ngx_http_request_body_t *rb;
ngx_http_core_loc_conf_t *clcf;
- r->main->count++;
+ if (r->main->count < 255)
+ r->main->count++;
if (r->request_body || r->discard_body) {
post_handler(r);
@@ -485,7 +486,8 @@ static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r,
r->lingering_close = 0;
} else {
- r->count++;
+ if (r->count < 255)
+ r->count++;
r->discard_body = 1;
}
需要重新编译程序才能解决。
厂商补丁:
Igor Sysoev
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://nginx.org/en/download.html
暂无评论