From 7600ca028644d3ecc7e62499d71bbe21fe3bda0d Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Wed, 2 Nov 2022 13:46:16 +0400 Subject: Increased maximum read PROXY protocol header size. Maximum size for reading the PROXY protocol header is increased to 4096 to accommodate a bigger number of TLVs, which are supported since cca4c8a715de. Maximum size for writing the PROXY protocol header is not changed since only version 1 is currently supported. --- src/core/ngx_proxy_protocol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/core/ngx_proxy_protocol.c') diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c index 2d9c095b1..212763647 100644 --- a/src/core/ngx_proxy_protocol.c +++ b/src/core/ngx_proxy_protocol.c @@ -281,7 +281,7 @@ ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last) { ngx_uint_t port, lport; - if (last - buf < NGX_PROXY_PROTOCOL_MAX_HEADER) { + if (last - buf < NGX_PROXY_PROTOCOL_V1_MAX_HEADER) { return NULL; } -- cgit v1.2.3 From fbe42d46312a87ee24f9038f26876a95c7abab34 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Tue, 8 Nov 2022 12:48:19 +0300 Subject: Added logging to PROXY protocol write buffer check. The check is not expected to fail unless there is a bug in the calling code. But given the check is here, it should log an alert if it fails instead of silently closing the connection. --- src/core/ngx_proxy_protocol.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/core/ngx_proxy_protocol.c') diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c index 212763647..8d3bd01d9 100644 --- a/src/core/ngx_proxy_protocol.c +++ b/src/core/ngx_proxy_protocol.c @@ -282,6 +282,8 @@ ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last) ngx_uint_t port, lport; if (last - buf < NGX_PROXY_PROTOCOL_V1_MAX_HEADER) { + ngx_log_error(NGX_LOG_ALERT, c->log, 0, + "too small buffer for PROXY protocol"); return NULL; } -- cgit v1.2.3 From 67e2a6916170f126a078bf7499a9a02c994e2f6d Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Tue, 8 Nov 2022 12:48:21 +0300 Subject: Fixed PROXY protocol to use ngx_memcpy()/ngx_memcmp(). --- src/core/ngx_proxy_protocol.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src/core/ngx_proxy_protocol.c') diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c index 8d3bd01d9..49888b986 100644 --- a/src/core/ngx_proxy_protocol.c +++ b/src/core/ngx_proxy_protocol.c @@ -109,7 +109,7 @@ ngx_proxy_protocol_read(ngx_connection_t *c, u_char *buf, u_char *last) len = last - buf; if (len >= sizeof(ngx_proxy_protocol_header_t) - && memcmp(p, signature, sizeof(signature) - 1) == 0) + && ngx_memcmp(p, signature, sizeof(signature) - 1) == 0) { return ngx_proxy_protocol_v2_read(c, buf, last); } @@ -396,11 +396,11 @@ ngx_proxy_protocol_v2_read(ngx_connection_t *c, u_char *buf, u_char *last) src_sockaddr.sockaddr_in.sin_family = AF_INET; src_sockaddr.sockaddr_in.sin_port = 0; - memcpy(&src_sockaddr.sockaddr_in.sin_addr, in->src_addr, 4); + ngx_memcpy(&src_sockaddr.sockaddr_in.sin_addr, in->src_addr, 4); dst_sockaddr.sockaddr_in.sin_family = AF_INET; dst_sockaddr.sockaddr_in.sin_port = 0; - memcpy(&dst_sockaddr.sockaddr_in.sin_addr, in->dst_addr, 4); + ngx_memcpy(&dst_sockaddr.sockaddr_in.sin_addr, in->dst_addr, 4); pp->src_port = ngx_proxy_protocol_parse_uint16(in->src_port); pp->dst_port = ngx_proxy_protocol_parse_uint16(in->dst_port); @@ -423,11 +423,11 @@ ngx_proxy_protocol_v2_read(ngx_connection_t *c, u_char *buf, u_char *last) src_sockaddr.sockaddr_in6.sin6_family = AF_INET6; src_sockaddr.sockaddr_in6.sin6_port = 0; - memcpy(&src_sockaddr.sockaddr_in6.sin6_addr, in6->src_addr, 16); + ngx_memcpy(&src_sockaddr.sockaddr_in6.sin6_addr, in6->src_addr, 16); dst_sockaddr.sockaddr_in6.sin6_family = AF_INET6; dst_sockaddr.sockaddr_in6.sin6_port = 0; - memcpy(&dst_sockaddr.sockaddr_in6.sin6_addr, in6->dst_addr, 16); + ngx_memcpy(&dst_sockaddr.sockaddr_in6.sin6_addr, in6->dst_addr, 16); pp->src_port = ngx_proxy_protocol_parse_uint16(in6->src_port); pp->dst_port = ngx_proxy_protocol_parse_uint16(in6->dst_port); -- cgit v1.2.3