nginx memory disclosure, patch it now

http://www.openwall.com/lists/oss-security/2012/03/15/5
 this is a vulnerability found by Matthew Daley, the memory disclosure security problem exist on nginx 0.1.0-1.1.16

 there's 5 files you need to patch

at src/http/modules/ :

ngx_http_fastcgi_module.c
ngx_http_proxy_module.c
ngx_http_scgi_module.c
ngx_http_uwsgi_module.c

at src/http/  :

ngx_http_parse.c


patch_ngx_http_parse :
==========================
--- src/http/ngx_http_parse.c
+++ src/http/ngx_http_parse.c
@@ -874,6 +874,10 @@ ngx_http_parse_header_line(ngx_http_requ
                     break;
                 }

+                if (ch == '\0') {
+                    return NGX_HTTP_PARSE_INVALID_HEADER;
+                }
+
                 r->invalid_header = 1;

                 break;
@@ -936,6 +940,10 @@ ngx_http_parse_header_line(ngx_http_requ
                 break;
             }

+            if (ch == '\0') {
+                return NGX_HTTP_PARSE_INVALID_HEADER;
+            }
+
             r->invalid_header = 1;

             break;
@@ -954,6 +962,8 @@ ngx_http_parse_header_line(ngx_http_requ
                 r->header_start = p;
                 r->header_end = p;
                 goto done;
+            case '\0':
+                return NGX_HTTP_PARSE_INVALID_HEADER;
             default:
                 r->header_start = p;
                 state = sw_value;
@@ -975,6 +985,8 @@ ngx_http_parse_header_line(ngx_http_requ
             case LF:
                 r->header_end = p;
                 goto done;
+            case '\0':
+                return NGX_HTTP_PARSE_INVALID_HEADER;
             }
             break;

@@ -988,6 +1000,8 @@ ngx_http_parse_header_line(ngx_http_requ
                 break;
             case LF:
                 goto done;
+            case '\0':
+                return NGX_HTTP_PARSE_INVALID_HEADER;
             default:
                 state = sw_value;
                 break;
==========================


patch_ngx_http_fastcgi_module:
======
--- src/http/modules/ngx_http_fastcgi_module.c
+++ src/http/modules/ngx_http_fastcgi_module.c
@@ -1501,10 +1501,10 @@ ngx_http_fastcgi_process_header(ngx_http
                     h->lowcase_key = h->key.data + h->key.len + 1
                                      + h->value.len + 1;

-                    ngx_cpystrn(h->key.data, r->header_name_start,
-                                h->key.len + 1);
-                    ngx_cpystrn(h->value.data, r->header_start,
-                                h->value.len + 1);
+                    ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+                    h->key.data[h->key.len] = '\0';
+                    ngx_memcpy(h->value.data, r->header_start, h->value.len);
+                    h->value.data[h->value.len] = '\0';
                 }

                 h->hash = r->header_hash;
=========



patch_ngx_http_proxy_module:
======
--- src/http/modules/ngx_http_proxy_module.c
+++ src/http/modules/ngx_http_proxy_module.c
@@ -1381,8 +1381,10 @@ ngx_http_proxy_process_header(ngx_http_r
             h->value.data = h->key.data + h->key.len + 1;
             h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;

-            ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
-            ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+            h->key.data[h->key.len] = '\0';
+            ngx_memcpy(h->value.data, r->header_start, h->value.len);
+            h->value.data[h->value.len] = '\0';

             if (h->key.len == r->lowcase_index) {
                 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
========

patch_ngx_http_scgi_module
===
--- src/http/modules/ngx_http_scgi_module.c
+++ src/http/modules/ngx_http_scgi_module.c
@@ -941,8 +941,10 @@ ngx_http_scgi_process_header(ngx_http_re
             h->value.data = h->key.data + h->key.len + 1;
             h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;

-            ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
-            ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+            h->key.data[h->key.len] = '\0';
+            ngx_memcpy(h->value.data, r->header_start, h->value.len);
+            h->value.data[h->value.len] = '\0';

             if (h->key.len == r->lowcase_index) {
                 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
=========


patch_ngx_http_uwsgi_module:
============
--- src/http/modules/ngx_http_uwsgi_module.c
+++ src/http/modules/ngx_http_uwsgi_module.c
@@ -985,8 +985,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
             h->value.data = h->key.data + h->key.len + 1;
             h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;

-            ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
-            ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
+            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+            h->key.data[h->key.len] = '\0';
+            ngx_memcpy(h->value.data, r->header_start, h->value.len);
+            h->value.data[h->value.len] = '\0';

             if (h->key.len == r->lowcase_index) {
                 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
===========



apply the patch:
============
# ls
ngx_http_access_module.c           ngx_http_geo_module.c                  ngx_http_proxy_module.c.bak      ngx_http_static_module.c
ngx_http_addition_filter_module.c  ngx_http_gzip_filter_module.c          ngx_http_random_index_module.c   ngx_http_stub_status_module.c
ngx_http_auth_basic_module.c       ngx_http_gzip_static_module.c          ngx_http_range_filter_module.c   ngx_http_sub_filter_module.c
ngx_http_autoindex_module.c        ngx_http_headers_filter_module.c       ngx_http_realip_module.c         ngx_http_upstream_ip_hash_module.c
ngx_http_browser_module.c          ngx_http_image_filter_module.c         ngx_http_referer_module.c        ngx_http_userid_filter_module.c
ngx_http_charset_filter_module.c   ngx_http_index_module.c                ngx_http_rewrite_module.c        ngx_http_uwsgi_module.c
ngx_http_chunked_filter_module.c   ngx_http_limit_req_module.c            ngx_http_scgi_module.c           ngx_http_uwsgi_module.c.bak
ngx_http_dav_module.c              ngx_http_limit_zone_module.c           ngx_http_scgi_module.c.bak       ngx_http_xslt_filter_module.c
ngx_http_degradation_module.c      ngx_http_log_module.c                  ngx_http_secure_link_module.c    patch_ngx_http_fastcgi_module
ngx_http_empty_gif_module.c        ngx_http_map_module.c                  ngx_http_split_clients_module.c  patch_ngx_http_proxy_module
ngx_http_fastcgi_module.c          ngx_http_memcached_module.c            ngx_http_ssi_filter_module.c     patch_ngx_http_scgi_module
ngx_http_fastcgi_module.c.bak      ngx_http_mp4_module.c                  ngx_http_ssi_filter_module.h     patch_ngx_http_uwsgi_module
ngx_http_flv_module.c              ngx_http_not_modified_filter_module.c  ngx_http_ssl_module.c            perl
ngx_http_geoip_module.c            ngx_http_proxy_module.c                ngx_http_ssl_module.h
==============

apply the patches:

====
[root@godad modules]# patch < patch_ngx_http_fastcgi_module
patching file ngx_http_fastcgi_module.c
Hunk #1 succeeded at 1446 (offset -55 lines).
[root@godad modules]# patch < patch_ngx_http_proxy_module
patching file ngx_http_proxy_module.c
Hunk #1 succeeded at 1278 (offset -103 lines).
[root@godad modules]# patch < patch_ngx_http_scgi_module
patching file ngx_http_scgi_module.c
Hunk #1 succeeded at 894 (offset -47 lines).
[root@godad modules]# patch < patch_ngx_http_uwsgi_module
patching file ngx_http_uwsgi_module.c
Hunk #1 succeeded at 947 (offset -38 lines).

[root@godad modules]# cd ..;patch
patching file ngx_http_parse.c
Hunk #1 succeeded at 814 (offset -60 lines).
Hunk #3 succeeded at 902 (offset -60 lines).
Hunk #5 succeeded at 940 (offset -60 lines).





~then recompile~