nginx.git/src/http, branch release-1.15.7 nginx Negative size buffers detection. 2018-11-26T15:29:56+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-26T15:29:56+00:00 f4c70589ce2875b67554113dc7fe6efc581444d6 In the past, there were several security issues which resulted in worker process memory disclosure due to buffers with negative size. It looks reasonable to check for such buffers in various places, much like we already check for zero size buffers. While here, removed "#if 1 / #endif" around zero size buffer checks. It looks highly unlikely that we'll disable these checks anytime soon. 
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
Mp4: fixed possible pointer overflow on 32-bit platforms. 2018-11-21T17:23:16+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-21T17:23:16+00:00 f5708e66c7187c2489a7d0b39918f6d0fe4c6645 On 32-bit platforms mp4->buffer_pos might overflow when a large enough (close to 4 gigabytes) atom is being skipped, resulting in incorrect memory addesses being read further in the code. In most cases this results in harmless errors being logged, though may also result in a segmentation fault if hitting unmapped pages. To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos up to mp4->buffer_end. This ensures that overflow cannot happen. 
On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code.  In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.

To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end.  This ensures that overflow cannot happen.
Limit req: "delay=" parameter. 2018-11-21T15:56:50+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-21T15:56:50+00:00 aedc37fb3e7fb4550c17c4ec7aed3d33c73aab43 This parameter specifies an additional "soft" burst limit at which requests become delayed (but not yet rejected as it happens if "burst=" limit is exceeded). Defaults to 0, i.e., all excess requests are delayed. Originally inspired by Vladislav Shabanov (http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008126.html). Further improved based on a patch by Peter Shchuchkin (http://mailman.nginx.org/pipermail/nginx-devel/2018-October/011522.html). 
This parameter specifies an additional "soft" burst limit at which requests
become delayed (but not yet rejected as it happens if "burst=" limit is
exceeded).  Defaults to 0, i.e., all excess requests are delayed.

Originally inspired by Vladislav Shabanov
(http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008126.html).
Further improved based on a patch by Peter Shchuchkin
(http://mailman.nginx.org/pipermail/nginx-devel/2018-October/011522.html).
Limit req: fixed error message wording. 2018-11-21T15:56:44+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-21T15:56:44+00:00 56dffac3e3a47b4809a1c8007ddd5beb1ca36239 






Upstream: revised upstream response time variables.
2018-11-21T10:40:40+00:00

Vladimir Homutov
vl@nginx.com

2018-11-21T10:40:40+00:00

c24146731810f2711da608cd7f3bdca528a3eb14

Variables now do not depend on presence of the HTTP status code in response.
If the corresponding event occurred, variables contain time between request
creation and the event, and "-" otherwise.

Previously, intermediate value of the $upstream_response_time variable held
unix timestamp.





Variables now do not depend on presence of the HTTP status code in response.
If the corresponding event occurred, variables contain time between request
creation and the event, and "-" otherwise.

Previously, intermediate value of the $upstream_response_time variable held
unix timestamp.







Upstream: removed unused ngx_http_upstream_t.timeout field.
2018-11-21T10:40:36+00:00

Vladimir Homutov
vl@nginx.com

2018-11-21T10:40:36+00:00

0f669b23a84785cdb1891b73d3ecb03a3174ea04












gRPC: limited allocations due to ping and settings frames.
2018-11-06T13:29:59+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-11-06T13:29:59+00:00

42043b4ef7e60eabed114164f36c1d2314faef1a












HTTP/2: limit the number of idle state switches.
2018-11-06T13:29:49+00:00

Ruslan Ermilov
ru@nginx.com

2018-11-06T13:29:49+00:00

60b93594cca9cb5d63f26e724c458ccb380ac540

An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.





An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.







HTTP/2: flood detection.
2018-11-06T13:29:35+00:00

Ruslan Ermilov
ru@nginx.com

2018-11-06T13:29:35+00:00

8ec4146e1aad3a4fc0b19a024f8ef3516791e30c

Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.





Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.







Mp4: fixed reading 64-bit atoms.
2018-11-06T13:29:18+00:00

Roman Arutyunyan
arut@nginx.com

2018-11-06T13:29:18+00:00

9cd9526ba68a3dcfc763a3f7693ccb4f48e855fb

Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.





Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.