id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2239	Unterminated string result in ngx_sock_ntop()	GregIthaca@…		"I've been studying/running your code for security research, and I've encountered what appears to be a unterminated string condition that has some risk of exposing heap internals. I've verified that as far as I can tell, this issue remains in the latest source code.

In https://github.com/nginx/nginx/blob/branches/stable-1.20/src/event/ngx_event_accept.c#L272 there is a call to ngx_soc_ntop() with the ls->addr_text_max_len argument. In the case of INET_ADDR this value is 15 per https://github.com/nginx/nginx/blob/branches/stable-1.20/src/core/ngx_inet.h#L16

However, any time the length matches or exceeds this, as is the case when a port number is specified or for an address such as 128.100.100.100, the snprintf() operation (e.g. https://github.com/nginx/nginx/blob/branches/stable-1.20/src/core/ngx_inet.c#L206) will leave the resulting text unterminated. Because this is allocated from the heap, residual data in the surrounding block might be exposed.

Trivial fixes would include adjusting the size of the allocated buffer to account for this."	defect	closed	minor		nginx-core	1.19.x	invalid	CWE-170, CWE-200		Linux invulnaco 5.4.0-72-generic #80~18.04.1-Ubuntu SMP Mon Apr 12 23:26:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.2.9
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
configure arguments:"