nginx.git/src/core/ngx_inet.c, branch release-1.28.2 nginx Realip: allowed square brackets with portless IPv6 address. 2024-11-26T14:27:07+00:00 Roman Arutyunyan arut@nginx.com 2024-11-11T18:28:30+00:00 b2a67d261496555a46b8931935bf822ce9938294 When client address is received, IPv6 address could be specified without square brackets and without port, as well as both with the brackets and port. The change allows IPv6 in square brackets and no port, which was previously considered an error. This format conforms to RFC 3986. The change also affects proxy_bind and friends. 
When client address is received, IPv6 address could be specified without
square brackets and without port, as well as both with the brackets and
port.  The change allows IPv6 in square brackets and no port, which was
previously considered an error.  This format conforms to RFC 3986.

The change also affects proxy_bind and friends.
Fixed undefined behaviour with IPv4-mapped IPv6 addresses. 2024-03-18T13:14:30+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-18T13:14:30+00:00 3d5a356abb4f06b0f103290bd31a4c146233956b Previously, it could result when left-shifting signed integer due to implicit integer promotion, such that the most significant bit appeared on the sign bit. In practice, though, this results in the same left value as with an explicit cast, at least on known compilers, such as GCC and Clang. The reason is that in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32 and LP64 data type models, has the same type width as the intermediate after integer promotion, so there's no side effects such as sign-extension. This explains why adding an explicit cast does not change object files in practice. Found with UndefinedBehaviorSanitizer (shift). Based on a patch by Piotr Sikora. 
Previously, it could result when left-shifting signed integer due to implicit
integer promotion, such that the most significant bit appeared on the sign bit.

In practice, though, this results in the same left value as with an explicit
cast, at least on known compilers, such as GCC and Clang.  The reason is that
in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32
and LP64 data type models, has the same type width as the intermediate after
integer promotion, so there's no side effects such as sign-extension.  This
explains why adding an explicit cast does not change object files in practice.

Found with UndefinedBehaviorSanitizer (shift).

Based on a patch by Piotr Sikora.
Listen port ranges. 2019-03-06T17:46:09+00:00 Roman Arutyunyan arut@nginx.com 2019-03-06T17:46:09+00:00 912fb44e25c6ab2598e36b4544c709b871251b2e A range is specified with a dash. For each port in a range a separate listen socket is created. Examples: listen 8080-9000; listen example.com:80-88; 
A range is specified with a dash.  For each port in a range a separate listen
socket is created.

Examples:

    listen 8080-9000;
    listen example.com:80-88;
Removed sorting of getaddrinfo() results. 2019-03-20T17:31:59+00:00 Roman Arutyunyan arut@nginx.com 2019-03-20T17:31:59+00:00 b92e8ffa130366b0181c34f95376a56245cf6414 Previously the ngx_inet_resolve_host() function sorted addresses in a way that IPv4 addresses came before IPv6 addresses. This was implemented in eaf95350d75c (1.3.10) along with the introduction of getaddrinfo() which could resolve host names to IPv6 addresses. Since the "listen" directive only used the first address, sorting allowed to preserve "listen" compatibility with the previous behavior and with the behavior of nginx built without IPv6 support. Now "listen" uses all resolved addresses which makes sorting pointless. 
Previously the ngx_inet_resolve_host() function sorted addresses in a way that
IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
(1.3.10) along with the introduction of getaddrinfo() which could resolve host
names to IPv6 addresses.  Since the "listen" directive only used the first
address, sorting allowed to preserve "listen" compatibility with the previous
behavior and with the behavior of nginx built without IPv6 support.  Now
"listen" uses all resolved addresses which makes sorting pointless.
Multiple addresses in "listen". 2019-03-15T12:45:56+00:00 Roman Arutyunyan arut@nginx.com 2019-03-15T12:45:56+00:00 4e17b93eb6787e99a4023f20f8c391284f86bbf3 Previously only one address was used by the listen directive handler even if host name resolved to multiple addresses. Now a separate listening socket is created for each address. 
Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.
Fixed build without IPv6, broken by 874171c3c71a. 2017-10-05T13:50:35+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-05T13:50:35+00:00 3a2ca34548ab5d260d9d3de710ff652cf00cc0f5 






Fixed handling of non-null-terminated unix sockets.
2017-10-04T18:19:38+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-10-04T18:19:38+00:00

cba23f88ec6740b7f8d6a1383254708a91d37625

At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.





At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.







Core: sockaddr lengths now respected by ngx_cmp_sockaddr().
2016-10-10T13:15:41+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-10-10T13:15:41+00:00

f594b2bf6dbb49f5e2bc27cc3f27f272a7f95c1c

Linux can return AF_UNIX sockaddrs with partially filled sun_path,
resulting in spurious comparison failures and failed binary upgrades.
Added proper checking of the lengths provided.

Reported by Jan Seda,
http://mailman.nginx.org/pipermail/nginx-devel/2016-September/008832.html.





Linux can return AF_UNIX sockaddrs with partially filled sun_path,
resulting in spurious comparison failures and failed binary upgrades.
Added proper checking of the lengths provided.

Reported by Jan Seda,
http://mailman.nginx.org/pipermail/nginx-devel/2016-September/008832.html.







Core: introduced ngx_cidr_match() function.
2016-09-07T10:56:53+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-09-07T10:56:53+00:00

a613df5b3f470369e7ce7ebe34e82056b6fc0919












Fixed build on MSVC.
2016-06-20T12:11:50+00:00

Roman Arutyunyan
arut@nginx.com

2016-06-20T12:11:50+00:00

9810fd06cb3358dbc880ccfcb30a49e693623d0c