Unterminated string result in ngx_sock_ntop()
|Reported by:||Owned by:|
|uname -a:||Linux invulnaco 5.4.0-72-generic #80~18.04.1-Ubuntu SMP Mon Apr 12 23:26:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux|
nginx version: nginx/1.2.9
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
I've been studying/running your code for security research, and I've encountered what appears to be a unterminated string condition that has some risk of exposing heap internals. I've verified that as far as I can tell, this issue remains in the latest source code.
In https://github.com/nginx/nginx/blob/branches/stable-1.20/src/event/ngx_event_accept.c#L272 there is a call to ngx_soc_ntop() with the ls->addr_text_max_len argument. In the case of INET_ADDR this value is 15 per https://github.com/nginx/nginx/blob/branches/stable-1.20/src/core/ngx_inet.h#L16
However, any time the length matches or exceeds this, as is the case when a port number is specified or for an address such as 220.127.116.11, the snprintf() operation (e.g. https://github.com/nginx/nginx/blob/branches/stable-1.20/src/core/ngx_inet.c#L206) will leave the resulting text unterminated. Because this is allocated from the heap, residual data in the surrounding block might be exposed.
Trivial fixes would include adjusting the size of the allocated buffer to account for this.