id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1368 Date oveflow problems with ngx_gmtime() Jamie Landeg-Jones "There is a problem in ngx_gmtime() with dates earlier than the standard epoch, such that the negative number is treated as an unsigned integer, causing the year field to be 5 characters larger than allocated for, and hence the ""(ngx_pool_t)*pool"" variable to overflow by 5 characters. (E.G. ""Last-Modified: Thu, 09 Nov 438498967 05:59:16 GMT"") Now, I don't know if this overflow into ""(ngx_buf_t)*header_in"" can be exploited, but still, I think it should be avoided. Now, I appreciate that you aren't concerned with ""negative"" dates, which is fair enough, but may I at least suggest setting such dates to zero rather than simply casting then onto an unsigned type, as in the attached patch? 01:58 (452) ""nginx-1.12.1"" jamie@lapcat% l -T /scratch/jamie/ports_base/usr/local/www/nginx-dist/index.html 4 -rw-r--r-- 1 jamie jamie - 4 31 Dec 23:59:00 1969 /scratch/jamie/ports_base/usr/local/www/nginx-dist/index.html BEFORE PATCH: 01:58 (453) ""nginx-1.12.1"" jamie@lapcat% curl -vvv localhost:55555 * Rebuilt URL to: localhost:55555/ * Connected to localhost (127.0.0.1) port 55555 (#0) > GET / HTTP/1.1 > Host: localhost:55555 > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.12.1 < Date: Mon, 28 Aug 2017 00:58:42 GMT < Content-Type: text/html < Content-Length: 4 < Last-Modified: Thu, 09 Nov 438498967 05:59:16 GMT < Connection: keep-alive < ETag: ""-e4c-4"" < Accept-Ranges: bytes < boo * Connection #0 to host localhost left intact AFTER PATCH: 02:02 (461) ""nginx-1.12.1"" jamie@lapcat% curl -vvv localhost:55555 * Rebuilt URL to: localhost:55555/ * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 55555 (#0) > GET / HTTP/1.1 > Host: localhost:55555 > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.12.1 < Date: Mon, 28 Aug 2017 01:02:17 GMT < Content-Type: text/html < Content-Length: 4 < Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT < Connection: keep-alive < ETag: ""-e4c-4"" < Accept-Ranges: bytes < boo * Connection #0 to host localhost left intact Cheers, Jamie" defect closed minor nginx-core 1.12.x fixed epoch negative date ngx_gmtime FreeBSD lapcat.dyslexicfish.net 11.1-STABLE FreeBSD 11.1-STABLE #0: Thu Jul 27 19:27:36 BST 2017 root@lapcat.dyslexicfish.net:/usr/obj/usr/src/sys/LAPCAT amd64 "nginx version: nginx/1.12.1 built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_sub_module --with-pcre --with-http_v2_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-http_ssl_module "