Opened 5 years ago

Closed 5 years ago

#588 closed defect (invalid)

POST Request with response 302 and content-length 0 crashes nginx

Reported by: www.google.com/accounts/o8/id?id=AItOawn3ZGJvwqyagJnAdPZ3Sd-0a_lBxsrr4mU Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.6.x
Keywords: Cc:
uname -a: Linux d2-waf01.architrade.com 2.6.32-431.20.3.el6.x86_64 #1 SMP Fri Jun 6 18:30:54 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.0 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled configure arguments: --add-module=../modsecurity-2.8.0/nginx/modsecurity --with-openssl=/usr/local/src/openssl-1.0.1h/ --with-http_ssl_module --with-debug

Description

In the process of setting up Nginx as reverse proxy in front of my apaches I have come across a bug which crashes nginx.
When the client sends the following:
POST /netbank/invoice_ok HTTP/1.1
Host: 172.26.11.11
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: Chunked
DNT: 1
Cookie: PMLCID=XXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3

x=x

Nginx crashes in an infinite loop at src/http/ngx_http_write_filter_module.c:116

The response Nginx receives from apache is (which never comes back to the client):
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.0
Date: Mon, 30 Jun 2014 14:44:54 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Location: http://google.com

And after some debugging it is discovered that it only happens with POST requests and only with Content-Length: 0 on the response-header. If I add content to the body and a corresponding Content-Length in the response, it works fine. I have compiled Nginx with the version 2.8 version of modsecurity and this problem only occurs if I enable modsecurity (Detection mode only though)! However, the infinite loop is occuring in the Nginx code. I have tested both 1.7.1 and 1.6.0 and they act the same way.

To easier reproduce this I created a perl-script (attached) which can be served with netcat and sends the above response. Running it in a loop like this: while true; do perl redirect.cgi | nc -l -p 1500 ; sleep 1; done

Attachments (2)

redirect.cgi (1.2 KB) - added by www.google.com/accounts/o8/id?id=AItOawn3ZGJvwqyagJnAdPZ3Sd-0a_lBxsrr4mU 5 years ago.
Perl script to produce response with netcat
nginx.conf (3.0 KB) - added by www.google.com/accounts/o8/id?id=AItOawn3ZGJvwqyagJnAdPZ3Sd-0a_lBxsrr4mU 5 years ago.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawn3ZGJvwqyagJnAdPZ3Sd-0a_lBxsrr4mU

Perl script to produce response with netcat

Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawn3ZGJvwqyagJnAdPZ3Sd-0a_lBxsrr4mU

comment:1 Changed 5 years ago by maxim

Hello,

Have you tried to repoduce the crash without modsecurity compiled in?

comment:2 Changed 5 years ago by vbart

  • Resolution set to invalid
  • Status changed from new to closed

this problem only occurs if I enable modsecurity

Since you can't reproduce it without the 3rd-party module, so there's no evidence that the problem is in nginx itself. It's very easy for 3rd-party modules to break nginx by incorrect use of its internal API.

Note: See TracTickets for help on using tickets.