Package: nginx / 1.6.2-5+deb8u2~bpo70+1

Metadata

Package Version Patches format
nginx 1.6.2-5+deb8u2~bpo70+1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
perl use dpkg buildflags.patch | (download)

src/http/modules/perl/Makefile.PL | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 use linker flags from environment for perl (dpkg-buildflags).
 Necessary for hardening flags.
0003 Resolver fixed possible segmentation fault on DNS fo.patch | (download)

src/core/ngx_resolver.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 resolver: fixed possible segmentation fault on dns format error.


0004 Resolver fixed crashes in timeout handler.patch | (download)

src/core/ngx_resolver.c | 50 34 + 16 - 0 !
1 file changed, 34 insertions(+), 16 deletions(-)

 resolver: fixed crashes in timeout handler.

If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.

0005 Resolver fixed CNAME processing for several requests.patch | (download)

src/core/ngx_resolver.c | 21 15 + 6 - 0 !
1 file changed, 15 insertions(+), 6 deletions(-)

 resolver: fixed cname processing for several requests.

When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.

0006 Resolver changed the ngx_resolver_create_ _query arg.patch | (download)

src/core/ngx_resolver.c | 57 27 + 30 - 0 !
1 file changed, 27 insertions(+), 30 deletions(-)

 resolver: changed the ngx_resolver_create_*_query() arguments.

No functional changes.

This is needed by the following change.

0007 Resolver fixed use after free memory accesses with C.patch | (download)

src/core/ngx_resolver.c | 72 33 + 39 - 0 !
src/core/ngx_resolver.h | 2 2 + 0 - 0 !
2 files changed, 35 insertions(+), 39 deletions(-)

 resolver: fixed use-after-free memory accesses with cname.

When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.

0008 Resolver limited CNAME recursion.patch | (download)

src/core/ngx_resolver.c | 28 22 + 6 - 0 !
1 file changed, 22 insertions(+), 6 deletions(-)

 resolver: limited cname recursion.

Previously, the recursion was only limited for cached responses.

0009 Core skip special buffers on writing ticket 981.patch | (download)

src/os/unix/ngx_files.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 core: skip special buffers on writing (ticket #981).

A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.

Backported by 1.11.1 for debian.