nginx-1.26.3-RELEASE

SNI: added restriction for TLSv1.3 cross-SNI session resumption.
In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in b720f650b insufficient for sessions resumed with different SNI server name. Considering the example from b720f650b, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration.
2025-02-05 20:40:47 +04:00 · 2025-02-05 20:40:47 +04:00 · 2025-02-05 20:40:47 +04:00 · 2025-02-05 20:40:47 +04:00 · 2025-02-05 20:40:47 +04:00 · 2025-02-05 20:40:47 +04:00
29 changed files with 377 additions and 59 deletions
--- a/.hgtags
+++ b/.hgtags
@ -478,3 +478,6 @@ f8134640e8615448205785cf00b0bc810489b495 release-1.25.1
 294a3d07234f8f65d7b0e0b0e2c5b05c12c5da0a release-1.25.3
 173a0a7dbce569adbb70257c6ec4f0f6bc585009 release-1.25.4
 8618e4d900cc71082fbe7dc72af087937d64faf5 release-1.25.5
+a58202a8c41bf0bd97eef1b946e13105a105520d release-1.26.0
+a63c124e34bcf2d1d1feb8d40ff075103b967c4c release-1.26.1
+e4c5da06073ca24e2ffc5c8f8b8d7833a926356f release-1.26.2
--- a/docs/text/LICENSE
+++ b/docs/text/LICENSE
--- a/docs/text/README
+++ b/docs/text/README
--- a/auto/lib/libatomic/conf
+++ b/auto/lib/libatomic/conf
@ -7,8 +7,8 @@ if [ $NGX_LIBATOMIC != YES ]; then

    have=NGX_HAVE_LIBATOMIC . auto/have
    CORE_INCS="$CORE_INCS $NGX_LIBATOMIC/src"
-    LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/src/libatomic_ops.a"
-    CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/src/libatomic_ops.a"
+    LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
+    CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"

 else

@ -19,7 +19,7 @@ else
                      #include <atomic_ops.h>"
    ngx_feature_path=
    ngx_feature_libs="-latomic_ops"
-    ngx_feature_test="long  n = 0;
+    ngx_feature_test="AO_t  n = 0;
                      if (!AO_compare_and_swap(&n, 0, 1))
                          return 1;
                      if (AO_fetch_and_add(&n, 1) != 1)
--- a/auto/lib/libatomic/make
+++ b/auto/lib/libatomic/make
@ -3,14 +3,19 @@
 # Copyright (C) Nginx, Inc.


+    case $NGX_LIBATOMIC in
+        /*) ngx_prefix="$NGX_LIBATOMIC/build" ;;
+        *)  ngx_prefix="$PWD/$NGX_LIBATOMIC/build" ;;
+    esac
+
    cat << END                                            >> $NGX_MAKEFILE

-$NGX_LIBATOMIC/src/libatomic_ops.a:	$NGX_LIBATOMIC/Makefile
-	cd $NGX_LIBATOMIC && \$(MAKE)
+$NGX_LIBATOMIC/build/lib/libatomic_ops.a:	$NGX_LIBATOMIC/Makefile
+	cd $NGX_LIBATOMIC && \$(MAKE) && \$(MAKE) install

 $NGX_LIBATOMIC/Makefile:	$NGX_MAKEFILE
 	cd $NGX_LIBATOMIC \\
 	&& if [ -f Makefile ]; then \$(MAKE) distclean; fi \\
-	&& ./configure
+	&& ./configure --prefix=$ngx_prefix

 END
--- a/auto/lib/pcre/make
+++ b/auto/lib/pcre/make
@ -36,7 +36,8 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                       pcre2_valid_utf.c \
                       pcre2_xclass.c"

-        ngx_pcre_test="pcre2_convert.c \
+        ngx_pcre_test="pcre2_chkdint.c \
+                       pcre2_convert.c \
                       pcre2_extuni.c \
                       pcre2_find_bracket.c \
                       pcre2_script_run.c \
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@ -5,6 +5,175 @@
 <change_log title="nginx">


+<changes ver="1.26.3" date="2025-02-05">
+
+<change type="security">
+<para lang="ru">
+недостаточная проверка в обработке виртуальных серверов
+при использовании SNI в TLSv1.3 позволяла повторно использовать
+SSL-сессию в контексте другого виртуального сервера,
+чтобы обойти проверку клиентских SSL-сертификатов (CVE-2025-23419).
+</para>
+<para lang="en">
+insufficient check in virtual servers handling with TLSv1.3 SNI
+allowed to reuse SSL sessions in a different virtual server,
+to bypass client SSL certificates verification (CVE-2025-23419).
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в модуле ngx_http_mp4_module.<br/>
+Спасибо Nils Bars.
+</para>
+<para lang="en">
+in the ngx_http_mp4_module.<br/>
+Thanks to Nils Bars.
+</para>
+</change>
+
+<change type="workaround">
+<para lang="ru">
+при использовании zlib-ng
+в логах появлялись сообщения "gzip filter failed to use preallocated memory".
+</para>
+<para lang="en">
+"gzip filter failed to use preallocated memory" alerts appeared in logs
+when using zlib-ng.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx не мог собрать библиотеку libatomic из исходных текстов,
+если использовался параметр --with-libatomic=DIR.
+</para>
+<para lang="en">
+nginx could not build libatomic library using the library sources
+if the --with-libatomic=DIR option was used.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+теперь nginx игнорирует пакеты согласования версий QUIC от клиентов.
+</para>
+<para lang="en">
+nginx now ignores QUIC version negotiation packets from clients.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx не собирался на Solaris 10 и более ранних
+с модулем ngx_http_v3_module.
+</para>
+<para lang="en">
+nginx could not be built on Solaris 10 and earlier
+with the ngx_http_v3_module.
+</para>
+</change>
+
+<change>
+<para lang="ru">
+Исправления в HTTP/3.
+</para>
+<para lang="en">
+Bugfixes in HTTP/3.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.26.2" date="2024-08-14">
+
+<change type="security">
+<para lang="ru">
+обработка специально созданного mp4-файла модулем ngx_http_mp4_module
+могла приводить к падению рабочего процесса (CVE-2024-7347).<br/>
+Спасибо Nils Bars.
+</para>
+<para lang="en">
+processing of a specially crafted mp4 file by the ngx_http_mp4_module
+might cause a worker process crash (CVE-2024-7347).<br/>
+Thanks to Nils Bars.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.26.1" date="2024-05-29">
+
+<change type="security">
+<para lang="ru">
+при использовании HTTP/3 обработка специально созданной QUIC-сессии могла
+приводить к падению рабочего процесса, отправке клиенту содержимого памяти
+рабочего процесса на системах с MTU больше 4096 байт, а также потенциально
+могла иметь другие последствия
+(CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161).<br/>
+Спасибо Nils Bars из CISPA.
+</para>
+<para lang="en">
+when using HTTP/3, processing of a specially crafted QUIC session might
+cause a worker process crash, worker process memory disclosure on systems
+with MTU larger than 4096 bytes, or might have potential other impact
+(CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161).<br/>
+Thanks to Nils Bars of CISPA.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+уменьшено потребление памяти для долгоживущих запросов,
+если используются директивы gzip, gunzip, ssi, sub_filter или grpc_pass.
+</para>
+<para lang="en">
+reduced memory consumption for long-lived requests
+if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+nginx не собирался gcc 14,
+если использовался параметр --with-libatomic.<br/>
+Спасибо Edgar Bonet.
+</para>
+<para lang="en">
+nginx could not be built by gcc 14
+if the --with-libatomic option was used.<br/>
+Thanks to Edgar Bonet.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в HTTP/3.
+</para>
+<para lang="en">
+in HTTP/3.
+</para>
+</change>
+
+</changes>
+
+
+<changes ver="1.26.0" date="2024-04-23">
+
+<change>
+<para lang="ru">
+Стабильная ветка 1.26.x.
+</para>
+<para lang="en">
+1.26.x stable branch.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="1.25.5" date="2024-04-16">

 <change type="feature">
--- a/misc/GNUmakefile
+++ b/misc/GNUmakefile
@ -6,7 +6,7 @@ TEMP =		tmp

 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.0.13
+OPENSSL =	openssl-3.0.15
 ZLIB =		zlib-1.3.1
 PCRE =		pcre2-10.39

@ -15,8 +15,6 @@ release: export

 	mv $(TEMP)/$(NGINX)/auto/configure $(TEMP)/$(NGINX)

-	mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)
-	mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)
 	mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)
 	mv $(TEMP)/$(NGINX)/docs/man $(TEMP)/$(NGINX)

@ -30,12 +28,12 @@ release: export

 export:
 	rm -rf $(TEMP)
-	hg archive -X '.hg*' $(TEMP)/$(NGINX)
+	git archive --prefix=$(TEMP)/$(NGINX)/ HEAD | tar -x -f - --exclude '.git*'


 RELEASE:
-	hg ci -m nginx-$(VER)-RELEASE
-	hg tag -m "release-$(VER) tag" release-$(VER)
+	git commit -m nginx-$(VER)-RELEASE
+	git tag -m "release-$(VER) tag" release-$(VER)

 	$(MAKE) -f misc/GNUmakefile release

@ -93,8 +91,8 @@ zip: export

 	sed -i '' -e "s/$$/`printf '\r'`/" $(TEMP)/$(NGINX)/conf/*

-	mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)/docs.new
-	mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)/docs.new
+	mv $(TEMP)/$(NGINX)/LICENSE $(TEMP)/$(NGINX)/docs.new
+	mv $(TEMP)/$(NGINX)/README $(TEMP)/$(NGINX)/docs.new
 	mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)

 	rm -r $(TEMP)/$(NGINX)/docs
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_


-#define nginx_version      1025005
-#define NGINX_VERSION      "1.25.5"
+#define nginx_version      1026003
+#define NGINX_VERSION      "1.26.3"
 #define NGINX_VER          "nginx/" NGINX_VERSION

 #ifdef NGX_BUILD
--- a/src/core/ngx_output_chain.c
+++ b/src/core/ngx_output_chain.c
@ -117,7 +117,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)

                ngx_debug_point();

-                ctx->in = ctx->in->next;
+                cl = ctx->in;
+                ctx->in = cl->next;
+
+                ngx_free_chain(ctx->pool, cl);

                continue;
            }
@ -203,7 +206,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
            /* delete the completed buf from the ctx->in chain */

            if (ngx_buf_size(ctx->in->buf) == 0) {
-                ctx->in = ctx->in->next;
+                cl = ctx->in;
+                ctx->in = cl->next;
+
+                ngx_free_chain(ctx->pool, cl);
            }

            cl = ngx_alloc_chain_link(ctx->pool);
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@ -648,6 +648,7 @@ ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb)
    ngx_quic_free_chain(c, qb->chain);

    qb->chain = NULL;
+    qb->last_chain = NULL;
 }


--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@ -391,6 +391,7 @@ SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)

    wbio = BIO_new(BIO_s_null());
    if (wbio == NULL) {
+        BIO_free(rbio);
        return 0;
    }

--- a/src/event/quic/ngx_event_quic_output.c
+++ b/src/event/quic/ngx_event_quic_output.c
@ -411,7 +411,7 @@ ngx_quic_send_segments(ngx_connection_t *c, u_char *buf, size_t len,
    ngx_memzero(msg_control, sizeof(msg_control));

    iov.iov_len = len;
-    iov.iov_base = buf;
+    iov.iov_base = (void *) buf;

    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
@ -699,7 +699,7 @@ ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len,
    ngx_memzero(&msg, sizeof(struct msghdr));

    iov.iov_len = len;
-    iov.iov_base = buf;
+    iov.iov_base = (void *) buf;

    msg.msg_iov = &iov;
    msg.msg_iovlen = 1;
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
    ngx_quic_crypto_frame_t  *f;

    qc = ngx_quic_get_connection(c);
+
+    if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
+        return NGX_OK;
+    }
+
    ctx = ngx_quic_get_send_ctx(qc, pkt->level);
    f = &frame->u.crypto;

--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@ -174,7 +174,7 @@ ngx_int_t
 ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
 {
    ngx_pool_t         *pool;
-    ngx_queue_t        *q;
+    ngx_queue_t        *q, posted_events;
    ngx_rbtree_t       *tree;
    ngx_connection_t   *sc;
    ngx_rbtree_node_t  *node;
@ -197,6 +197,8 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
        return NGX_OK;
    }

+    ngx_queue_init(&posted_events);
+
    node = ngx_rbtree_min(tree->root, tree->sentinel);

    while (node) {
@ -213,15 +215,21 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
        }

        sc->read->error = 1;
+        sc->read->ready = 1;
        sc->write->error = 1;
-
-        ngx_quic_set_event(sc->read);
-        ngx_quic_set_event(sc->write);
+        sc->write->ready = 1;

        sc->close = 1;
-        sc->read->handler(sc->read);
+
+        if (sc->read->posted) {
+            ngx_delete_posted_event(sc->read);
+        }
+
+        ngx_post_event(sc->read, &posted_events);
    }

+    ngx_event_process_posted((ngx_cycle_t *) ngx_cycle, &posted_events);
+
    if (tree->root == tree->sentinel) {
        return NGX_OK;
    }
--- a/src/event/quic/ngx_event_quic_transport.c
+++ b/src/event/quic/ngx_event_quic_transport.c
@ -295,6 +295,11 @@ ngx_quic_parse_packet(ngx_quic_header_t *pkt)
        return NGX_ERROR;
    }

+    if (pkt->version == 0) {
+        /* version negotiation */
+        return NGX_ERROR;
+    }
+
    if (!ngx_quic_supported_version(pkt->version)) {
        return NGX_ABORT;
    }
@ -1750,6 +1755,14 @@ ngx_quic_parse_transport_params(u_char *p, u_char *end, ngx_quic_tp_t *tp,
            return NGX_ERROR;
        }

+        if ((size_t) (end - p) < len) {
+            ngx_log_error(NGX_LOG_INFO, log, 0,
+                          "quic failed to parse"
+                          " transport param id:0x%xL, data length %uL too long",
+                          id, len);
+            return NGX_ERROR;
+        }
+
        rc = ngx_quic_parse_transport_param(p, p + len, id, tp);

        if (rc == NGX_ERROR) {
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@ -1231,7 +1231,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
    ngx_buf_t              *b;
    ngx_int_t               rc;
    ngx_uint_t              next, last;
-    ngx_chain_t            *cl, *out, **ll;
+    ngx_chain_t            *cl, *out, *ln, **ll;
    ngx_http_upstream_t    *u;
    ngx_http_grpc_ctx_t    *ctx;
    ngx_http_grpc_frame_t  *f;
@ -1459,7 +1459,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
            last = 1;
        }

+        ln = in;
        in = in->next;
+
+        ngx_free_chain(r->pool, ln);
    }

    ctx->in = in;
--- a/src/http/modules/ngx_http_gunzip_filter_module.c
+++ b/src/http/modules/ngx_http_gunzip_filter_module.c
@ -333,6 +333,8 @@ static ngx_int_t
 ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
    ngx_http_gunzip_ctx_t *ctx)
 {
+    ngx_chain_t  *cl;
+
    if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
        return NGX_OK;
    }
@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
        return NGX_DECLINED;
    }

-    ctx->in_buf = ctx->in->buf;
-    ctx->in = ctx->in->next;
+    cl = ctx->in;
+    ctx->in_buf = cl->buf;
+    ctx->in = cl->next;
+
+    ngx_free_chain(r->pool, cl);

    ctx->zstream.next_in = ctx->in_buf->pos;
    ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
@ -374,6 +379,7 @@ static ngx_int_t
 ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
    ngx_http_gunzip_ctx_t *ctx)
 {
+    ngx_chain_t             *cl;
    ngx_http_gunzip_conf_t  *conf;

    if (ctx->zstream.avail_out) {
@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
    conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);

    if (ctx->free) {
-        ctx->out_buf = ctx->free->buf;
-        ctx->free = ctx->free->next;
+
+        cl = ctx->free;
+        ctx->out_buf = cl->buf;
+        ctx->free = cl->next;
+
+        ngx_free_chain(r->pool, cl);

        ctx->out_buf->flush = 0;

--- a/src/http/modules/ngx_http_gzip_filter_module.c
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
@ -516,8 +516,10 @@ ngx_http_gzip_filter_memory(ngx_http_request_t *r, ngx_http_gzip_ctx_t *ctx)
        /*
         * Another zlib variant, https://github.com/zlib-ng/zlib-ng.
         * It used to force window bits to 13 for fast compression level,
-         * uses (64 + sizeof(void*)) additional space on all allocations
-         * for alignment, 16-byte padding in one of window-sized buffers,
+         * used (64 + sizeof(void*)) additional space on all allocations
+         * for alignment and 16-byte padding in one of window-sized buffers,
+         * uses a single allocation with up to 200 bytes for alignment and
+         * internal pointers, 5/4 times more memory for the pending buffer,
         * and 128K hash.
         */

@ -526,7 +528,7 @@ ngx_http_gzip_filter_memory(ngx_http_request_t *r, ngx_http_gzip_ctx_t *ctx)
        }

        ctx->allocated = 8192 + 16 + (1 << (wbits + 2))
-                         + 131072 + (1 << (memlevel + 8))
+                         + 131072 + (5 << (memlevel + 6))
                         + 4 * (64 + sizeof(void*));
        ctx->zlib_ng = 1;
    }
@ -985,10 +987,14 @@ static void
 ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
    ngx_http_gzip_ctx_t *ctx)
 {
-    ngx_chain_t  *cl;
+    ngx_chain_t  *cl, *ln;

-    for (cl = ctx->copied; cl; cl = cl->next) {
-        ngx_pfree(r->pool, cl->buf->start);
+    for (cl = ctx->copied; cl; /* void */) {
+        ln = cl;
+        cl = cl->next;
+
+        ngx_pfree(r->pool, ln->buf->start);
+        ngx_free_chain(r->pool, ln);
    }

    ctx->copied = NULL;
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@ -3099,7 +3099,8 @@ static ngx_int_t
 ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
    ngx_http_mp4_trak_t *trak, ngx_uint_t start)
 {
-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
+    uint64_t               n;
+    uint32_t               start_sample, chunk, samples, id, next_chunk,
                           prev_samples;
    ngx_buf_t             *data, *buf;
    ngx_uint_t             entries, target_chunk, chunk_samples;
@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,

        next_chunk = ngx_mp4_get_32value(entry->chunk);

+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
        ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                       "sample:%uD, chunk:%uD, chunks:%uD, "
                       "samples:%uD, id:%uD",
                       start_sample, chunk, next_chunk - chunk, samples, id);

-        n = (next_chunk - chunk) * samples;
+        n = (uint64_t) (next_chunk - chunk) * samples;

        if (start_sample < n) {
            goto found;
@ -3168,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,

        start_sample -= n;

-        prev_samples = samples;
+        if (next_chunk > chunk) {
+            prev_samples = samples;
+        }
+
        chunk = next_chunk;
        samples = ngx_mp4_get_32value(entry->samples);
        id = ngx_mp4_get_32value(entry->id);
@ -3178,11 +3189,18 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,

    next_chunk = trak->chunks + 1;

+    if (next_chunk < chunk) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "unordered mp4 stsc chunks in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
    ngx_log_debug4(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                   "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
                   start_sample, chunk, next_chunk - chunk, samples);

-    n = (next_chunk - chunk) * samples;
+    n = (uint64_t) (next_chunk - chunk) * samples;

    if (start_sample > n) {
        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
@ -3203,6 +3221,12 @@ found:
        return NGX_ERROR;
    }

+    if (chunk == 0) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "zero chunk in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
    target_chunk = chunk - 1;
    target_chunk += start_sample / samples;
    chunk_samples = start_sample % samples;
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@ -482,9 +482,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
    while (ctx->in || ctx->buf) {

        if (ctx->buf == NULL) {
-            ctx->buf = ctx->in->buf;
-            ctx->in = ctx->in->next;
+
+            cl = ctx->in;
+            ctx->buf = cl->buf;
+            ctx->in = cl->next;
            ctx->pos = ctx->buf->pos;
+
+            ngx_free_chain(r->pool, cl);
        }

        if (ctx->state == ssi_start_state) {
--- a/src/http/modules/ngx_http_sub_filter_module.c
+++ b/src/http/modules/ngx_http_sub_filter_module.c
@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
    while (ctx->in || ctx->buf) {

        if (ctx->buf == NULL) {
-            ctx->buf = ctx->in->buf;
-            ctx->in = ctx->in->next;
+
+            cl = ctx->in;
+            ctx->buf = cl->buf;
+            ctx->in = cl->next;
            ctx->pos = ctx->buf->pos;
+
+            ngx_free_chain(r->pool, cl);
        }

        if (ctx->buf->flush || ctx->buf->recycled) {
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
    hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
    if (hc->ssl_servername == NULL) {
        goto error;
@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)

    ngx_set_connection_log(c, clcf->error_log);

-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
-
    c->ssl->buffer_size = sscf->buffer_size;

    if (sscf->ssl.ctx) {
--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@ -810,6 +810,7 @@ ngx_http_v3_parse_field_lri(ngx_connection_t *c,

            st->literal.length = st->pint.value;
            if (st->literal.length == 0) {
+                st->value.data = (u_char *) "";
                goto done;
            }

@ -932,6 +933,7 @@ ngx_http_v3_parse_field_l(ngx_connection_t *c,

            st->literal.length = st->pint.value;
            if (st->literal.length == 0) {
+                st->value.data = (u_char *) "";
                goto done;
            }

@ -1072,6 +1074,7 @@ ngx_http_v3_parse_field_lpbi(ngx_connection_t *c,

            st->literal.length = st->pint.value;
            if (st->literal.length == 0) {
+                st->value.data = (u_char *) "";
                goto done;
            }

--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@ -134,7 +134,17 @@ ngx_http_v3_init(ngx_connection_t *c)
        }
    }

-    return ngx_http_v3_send_settings(c);
+    if (ngx_http_v3_send_settings(c) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+    if (h3scf->max_table_capacity > 0) {
+        if (ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_DECODER) == NULL) {
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
 }


@ -398,14 +408,12 @@ ngx_http_v3_wait_request_handler(ngx_event_t *rev)
 void
 ngx_http_v3_reset_stream(ngx_connection_t *c)
 {
-    ngx_http_v3_session_t   *h3c;
-    ngx_http_v3_srv_conf_t  *h3scf;
-
-    h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
+    ngx_http_v3_session_t  *h3c;

    h3c = ngx_http_v3_get_session(c);

-    if (h3scf->max_table_capacity > 0 && !c->read->eof && !h3c->hq
+    if (!c->read->eof && !h3c->hq
+        && h3c->known_streams[NGX_HTTP_V3_STREAM_SERVER_DECODER]
        && (c->quic->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) == 0)
    {
        (void) ngx_http_v3_send_cancel_stream(c, c->quic->id);
--- a/src/http/v3/ngx_http_v3_table.c
+++ b/src/http/v3/ngx_http_v3_table.c
@ -308,7 +308,7 @@ ngx_http_v3_set_capacity(ngx_connection_t *c, ngx_uint_t capacity)
    prev_max = dt->capacity / 32;

    if (max > prev_max) {
-        elts = ngx_alloc(max * sizeof(void *), c->log);
+        elts = ngx_alloc((max + 1) * sizeof(void *), c->log);
        if (elts == NULL) {
            return NGX_ERROR;
        }
--- a/src/http/v3/ngx_http_v3_uni.c
+++ b/src/http/v3/ngx_http_v3_uni.c
@ -20,8 +20,6 @@ static void ngx_http_v3_close_uni_stream(ngx_connection_t *c);
 static void ngx_http_v3_uni_read_handler(ngx_event_t *rev);
 static void ngx_http_v3_uni_dummy_read_handler(ngx_event_t *wev);
 static void ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev);
-static ngx_connection_t *ngx_http_v3_get_uni_stream(ngx_connection_t *c,
-    ngx_uint_t type);


 void
@ -307,7 +305,7 @@ ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev)
 }


-static ngx_connection_t *
+ngx_connection_t *
 ngx_http_v3_get_uni_stream(ngx_connection_t *c, ngx_uint_t type)
 {
    u_char                     buf[NGX_HTTP_V3_VARLEN_INT_LEN];
--- a/src/http/v3/ngx_http_v3_uni.h
+++ b/src/http/v3/ngx_http_v3_uni.h
@ -19,6 +19,8 @@ ngx_int_t ngx_http_v3_register_uni_stream(ngx_connection_t *c, uint64_t type);

 ngx_int_t ngx_http_v3_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id);

+ngx_connection_t *ngx_http_v3_get_uni_stream(ngx_connection_t *c,
+    ngx_uint_t type);
 ngx_int_t ngx_http_v3_send_settings(ngx_connection_t *c);
 ngx_int_t ngx_http_v3_send_goaway(ngx_connection_t *c, uint64_t id);
 ngx_int_t ngx_http_v3_send_ack_section(ngx_connection_t *c,
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

+    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
    s->srv_conf = cscf->ctx->srv_conf;

    ngx_set_connection_log(c, cscf->error_log);

-    sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
-
    if (sscf->ssl.ctx) {
        if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
            goto error;
Author	SHA1	Message	Date
Sergey Kandaurov	1be0fb0c9f	nginx-1.26.3-RELEASE	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	13935cf9fd	SNI: added restriction for TLSv1.3 cross-SNI session resumption. In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in `b720f650b` insufficient for sessions resumed with different SNI server name. Considering the example from `b720f650b`, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration.	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	95f9116128	Updated OpenSSL used for win32 builds.	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	a43f1272c3	Configure: fixed --with-libatomic=DIR with recent libatomic_ops. The build location of the resulting libatomic_ops.a was changed in v7.4.0 after converting libatomic_ops to use libtool. The fix is to use library from the install path, this allows building with both old and new versions. Initially reported here: https://mailman.nginx.org/pipermail/nginx/2018-April/056054.html	2025-02-05 20:40:47 +04:00
Aleksei Bavshin	2e42c1e29e	QUIC: added missing casts in iov_base assignments. This is consistent with the rest of the code and fixes build on systems with non-standard definition of struct iovec (Solaris, Illumos).	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	9cda58178b	Gzip: compatibility with recent zlib-ng 2.2.x versions. It now uses 5/4 times more memory for the pending buffer. Further, a single allocation is now used, which takes additional 56 bytes for deflate_allocs in 64-bit mode aligned to 16, to store sub-allocation pointers, and the total allocation size now padded up to 128 bytes, which takes theoretically 200 additional bytes in total. This fits though into "4 * (64 + sizeof(void*))" additional space for ZALLOC used in zlib-ng 2.1.x versions. The comment was updated to reflect this.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	977824010f	QUIC: prevented BIO leak in case of error.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	5c8a92f1f0	QUIC: fixed accessing a released stream. While trying to close a stream in ngx_quic_close_streams() by calling its read event handler, the next stream saved prior to that could be destroyed recursively. This caused a segfault while trying to access the next stream. The way the next stream could be destroyed in HTTP/3 is the following. A request stream read event handler ngx_http_request_handler() could end up calling ngx_http_v3_send_cancel_stream() to report a cancelled request stream in the decoder stream. If sending stream cancellation decoder instruction fails for any reason, and the decoder stream is the next in order after the request stream, the issue is triggered. The fix is to postpone calling read event handlers for all streams being closed to avoid closing a released stream.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	0d11f2885e	QUIC: ignore version negotiation packets. Previously, such packets were treated as long header packets with unknown version 0, and a version negotiation packet was sent in response. This could be used to set up an infinite traffic reflect loop with another nginx instance. Now version negotiation packets are ignored. As per RFC 9000, Section 6.1: An endpoint MUST NOT send a Version Negotiation packet in response to receiving a Version Negotiation packet.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	e9e83dbb69	Mp4: prevent chunk index underflow. When cropping stsc atom, it's assumed that chunk index is never 0. Based on this assumption, start_chunk and end_chunk are calculated by subtracting 1 from it. If chunk index is zero, start_chunk or end_chunk may underflow, which will later trigger "start/end time is out mp4 stco chunks" error. The change adds an explicit check for zero chunk index to avoid underflow and report a proper error. Zero chunk index is explicitly banned in ISO/IEC 14496-12, 8.7.4 Sample To Chunk Box. It's also implicitly banned in QuickTime File Format specification. Description of chunk offset table references "Chunk 1" as the first table element.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	1ebe58a02e	Mp4: unordered stsc chunks error for the final chunk. Currently an error is triggered if any of the chunk runs in stsc are unordered. This however does not include the final chunk run, which ends with trak->chunks + 1. The previous chunk index can be larger leading to a 32-bit overflow. This could allow to skip the validity check "if (start_sample > n)". This could later lead to a large trak->start_chunk/trak->end_chunk, which would be caught later in ngx_http_mp4_update_stco_atom() or ngx_http_mp4_update_co64_atom(). While there are no implications of the validity check being avoided, the change still adds a check to ensure the final chunk run is ordered, to produce a meaningful error and avoid a potential integer overflow.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	4712dee882	Mp4: fixed handling an empty run of chunks in stsc atom. A specially crafted mp4 file with an empty run of chunks in the stsc atom and a large value for samples per chunk for that run, combined with a specially crafted request, allowed to store that large value in prev_samples and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stsz_atom() this could result in buffer overread while calculating trak->end_chunk_samples_size. Now the value of samples per chunk specified for an empty run is ignored.	2025-02-05 20:40:47 +04:00
Thierry Bastian	cfd68334d8	Configure: MSVC compatibility with PCRE2 10.43.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	35a1420560	Moved LICENSE and README to root.	2025-02-05 20:40:47 +04:00
Roman Arutyunyan	bfe0a1fd6e	Switched GNUmakefile from hg to git.	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	11b890d66d	Version bump.	2025-02-05 20:40:47 +04:00
Sergey Kandaurov	99a5842241	release-1.26.2 tag	2024-08-12 18:28:31 +04:00
Sergey Kandaurov	37fe983554	nginx-1.26.2-RELEASE	2024-08-12 18:25:45 +04:00
Sergey Kandaurov	6da478eacd	Updated OpenSSL used for win32 builds.	2024-08-12 18:20:49 +04:00
Roman Arutyunyan	2262362fd3	Mp4: rejecting unordered chunks in stsc atom. Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() this caused buffer overread while trying to calculate trak->end_offset.	2024-08-12 18:20:45 +04:00
Roman Arutyunyan	3dc0fba5ad	Mp4: fixed buffer underread while updating stsz atom. While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer overflow could happen, which could result in incorrect seeking and a very large value stored in "samples". This resulted in a large invalid value of trak->end_chunk_samples. This value is further used to calculate the value of trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing this, a large invalid value of trak->end_chunk_samples could result in reading memory before stsz atom start. This could potentially result in a segfault.	2024-08-12 18:20:43 +04:00
Sergey Kandaurov	e1daadc388	Typo fixed.	2024-08-09 19:12:23 +04:00
Sergey Kandaurov	ddd5b9c531	Version bump.	2024-08-12 18:21:52 +04:00
Sergey Kandaurov	46222c0ab3	release-1.26.1 tag	2024-05-28 17:28:07 +04:00
Sergey Kandaurov	02725ce722	nginx-1.26.1-RELEASE	2024-05-28 17:26:54 +04:00
Sergey Kandaurov	ffed470390	HTTP/3: fixed handling of zero-length literal field line. Previously, st->value was passed with NULL data pointer to header handlers.	2024-05-28 17:20:45 +04:00
Roman Arutyunyan	0e7702e066	QUIC: ngx_quic_buffer_t use-after-free protection. Previously the last chain field of ngx_quic_buffer_t could still reference freed chains and buffers after calling ngx_quic_free_buffer(). While normally an ngx_quic_buffer_t object should not be used after freeing, resetting last_chain field would prevent a potential use-after-free.	2024-05-28 17:19:21 +04:00
Roman Arutyunyan	376f12e40a	QUIC: ignore CRYPTO frames after handshake completion. Sending handshake-level CRYPTO frames after the client's Finished message could lead to memory disclosure and a potential segfault, if those frames are sent in one packet with the Finished frame.	2024-05-28 17:19:08 +04:00
Roman Arutyunyan	3f2d8cb8f9	HTTP/3: fixed dynamic table overflow. While inserting a new entry into the dynamic table, first the entry is added, and then older entries are evicted until table size is within capacity. After the first step, the number of entries may temporarily exceed the maximum calculated from capacity by one entry, which previously caused table overflow. The easiest way to trigger the issue is to keep adding entries with empty names and values until first eviction. The issue was introduced by 987bee4363d1.	2024-05-28 17:18:50 +04:00
Roman Arutyunyan	326150b82d	HTTP/3: decoder stream pre-creation. Previously a decoder stream was created on demand for sending Section Acknowledgement, Stream Cancellation and Insert Count Increment. If conditions for sending any of these instructions never happen, a decoder stream is not created at all. These conditions include client not using the dynamic table and no streams abandoned by server (RFC 9204, Section 2.2.2.2). However RFC 9204, Section 4.2 defines only one condition for not creating a decoder stream: An endpoint MAY avoid creating a decoder stream if its decoder sets the maximum capacity of the dynamic table to zero. The change enables pre-creation of the decoder stream at HTTP/3 session initialization if maximum dynamic table capacity is not zero. Note that this value is currently hardcoded to 4096 bytes and is not configurable, so the stream is now always created. Also, the change fixes a potential stack overflow when creating a decoder stream in ngx_http_v3_send_cancel_stream() while draining a request stream by ngx_drain_connections(). Creating a decoder stream involves calling ngx_get_connection(), which calls ngx_drain_connections(), which will drain the same request stream again. If client's MAX_STREAMS for uni stream is high enough, these recursive calls will continue until we run out of stack. Otherwise, decoder stream creation will fail at some point and the request stream connection will be drained. This may result in use-after-free, since this connection could still be referenced up the stack.	2024-05-28 17:18:28 +04:00
Sergey Kandaurov	eaa6daa5f5	QUIC: client transport parameter data length checking.	2024-05-28 17:17:19 +04:00
Roman Arutyunyan	75e3004902	Optimized chain link usage (ticket #2614 ). Previously chain links could sometimes be dropped instead of being reused, which could result in increased memory consumption during long requests. A similar chain link issue in ngx_http_gzip_filter_module was fixed in da46bfc484ef (1.11.10). Based on a patch by Sangmin Lee.	2024-05-23 19:15:38 +04:00
Edgar Bonet	a728869cd1	Configure: fixed building libatomic test. Using "long " instead of "AO_t " leads either to -Wincompatible-pointer-types or -Wpointer-sign warnings, depending on whether long and size_t are compatible types (e.g., ILP32 versus LP64 data models). Notably, -Wpointer-sign warnings are enabled by default in Clang only, and -Wincompatible-pointer-types is an error starting from GCC 14. Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>	2024-05-16 11:15:10 +02:00
Sergey Kandaurov	ee561abfdf	Version bump.	2024-05-28 17:14:08 +04:00
Roman Arutyunyan	ea3f44e012	release-1.26.0 tag	2024-04-23 18:04:32 +04:00
Roman Arutyunyan	361f6bf4b1	nginx-1.26.0-RELEASE	2024-04-23 17:40:08 +04:00
Roman Arutyunyan	ee19cf9800	Stable branch.	2024-04-23 17:31:41 +04:00