src/http/modules/perl/Makefile.PL | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 use linker flags from environment for perl (dpkg-buildflags).
 Necessary for hardening flags.

src/core/ngx_resolver.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 resolver: fixed possible segmentation fault on dns format error.

src/core/ngx_resolver.c | 50 34 + 16 - 0 !
1 file changed, 34 insertions(+), 16 deletions(-)

 resolver: fixed crashes in timeout handler.

If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.

src/core/ngx_resolver.c | 21 15 + 6 - 0 !
1 file changed, 15 insertions(+), 6 deletions(-)

 resolver: fixed cname processing for several requests.

When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.

src/core/ngx_resolver.c | 57 27 + 30 - 0 !
1 file changed, 27 insertions(+), 30 deletions(-)

 resolver: changed the ngx_resolver_create_*_query() arguments.

No functional changes.

This is needed by the following change.

src/core/ngx_resolver.c | 72 33 + 39 - 0 !
src/core/ngx_resolver.h | 2 2 + 0 - 0 !
2 files changed, 35 insertions(+), 39 deletions(-)

 resolver: fixed use-after-free memory accesses with cname.

When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.

src/core/ngx_resolver.c | 28 22 + 6 - 0 !
1 file changed, 22 insertions(+), 6 deletions(-)

 resolver: limited cname recursion.

Previously, the recursion was only limited for cached responses.

src/os/unix/ngx_files.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 core: skip special buffers on writing (ticket #981).

A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.

Backported by 1.11.1 for debian.

src/http/modules/ngx_http_range_filter_module.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] range filter: protect from total size overflows.

The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.