BUGTRAQ ID: 59496 nginx是HTTP及反向代理服务器,同时也用作邮件代理服务器,由Igor Sysoev编写。 nginx在实现上存在远程整数溢出漏洞,当 r->count 小于0或大于255时,Nginx ngx_http_close_connection函数会存在整数溢出错误,远程攻击者通过恶意http请求利用此漏洞,可能在应用上下文中执行任意代码。 0 Igor Sysoev nginx 1.1.19 Igor Sysoev nginx 1.1.17 Igor Sysoev nginx 1.0.9 Igor Sysoev nginx 1.0.8 Igor Sysoev nginx 1.0.15 Igor Sysoev nginx 1.0.14 Igor Sysoev nginx 1.0.10 临时解决方法: 在官方发布针对此问题的更新之前,建议您安装如下补丁: 来自 http://pastie.org/private/vrocsopzemghn4y5dlg8q diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 9f63143..807cbc0 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1986,7 +1986,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, if (r == c->data) { - r->main->count--; + if (r->main->count > 0) + r->main->count--; if (!r->logged) { @@ -2022,7 +2023,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, } if (ngx_http_post_request(pr, NULL) != NGX_OK) { -...
BUGTRAQ ID: 59496 nginx是HTTP及反向代理服务器,同时也用作邮件代理服务器,由Igor Sysoev编写。 nginx在实现上存在远程整数溢出漏洞,当 r->count 小于0或大于255时,Nginx ngx_http_close_connection函数会存在整数溢出错误,远程攻击者通过恶意http请求利用此漏洞,可能在应用上下文中执行任意代码。 0 Igor Sysoev nginx 1.1.19 Igor Sysoev nginx 1.1.17 Igor Sysoev nginx 1.0.9 Igor Sysoev nginx 1.0.8 Igor Sysoev nginx 1.0.15 Igor Sysoev nginx 1.0.14 Igor Sysoev nginx 1.0.10 临时解决方法: 在官方发布针对此问题的更新之前,建议您安装如下补丁: 来自 http://pastie.org/private/vrocsopzemghn4y5dlg8q diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 9f63143..807cbc0 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1986,7 +1986,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, if (r == c->data) { - r->main->count--; + if (r->main->count > 0) + r->main->count--; if (!r->logged) { @@ -2022,7 +2023,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, } if (ngx_http_post_request(pr, NULL) != NGX_OK) { - r->main->count++; + if (r->main->count < 255) + r->main->count++; ngx_http_terminate_request(r, 0); return; } @@ -2911,7 +2913,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "post action: \"%V\"", &clcf->post_action); - r->main->count--; + if (r->main->count > 0) + r->main->count--; r->http_version = NGX_HTTP_VERSION_9; r->header_only = 1; @@ -2945,7 +2948,8 @@ static u_char *ngx_http_log_error_handler(ngx_http_request_t *r, ngx_log_error(NGX_LOG_ALERT, c->log, 0, "http request count is zero"); } - r->count--; + if (r->count > 0) + r->count--; if (r->count || r->blocked) { return; diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c index ac09d56..8ea33f4 100644 --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -37,7 +37,8 @@ static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r, ngx_http_request_body_t *rb; ngx_http_core_loc_conf_t *clcf; - r->main->count++; + if (r->main->count < 255) + r->main->count++; if (r->request_body || r->discard_body) { post_handler(r); @@ -485,7 +486,8 @@ static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r, r->lingering_close = 0; } else { - r->count++; + if (r->count < 255) + r->count++; r->discard_body = 1; } 需要重新编译程序才能解决。 厂商补丁: Igor Sysoev ----------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://nginx.org/en/download.html
