-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx 1.25.3.1 http2 segfault with ja3 patch added #51
Comments
seems there're a buffer overflow in ja3, let me try to figure out. |
If you need help in testing / debugging I can build & deploy in 15 minutes to see if a fix works. I also shared a private github repo with the last core & binary & debug symbols. |
I had time to check up on this. I created a patch where I check allocation success & etc and its working just fine now, no segfaults.
I am not familiar with ngx internal data structures so I checked every allocation and variables to make sure there is no issue with them, but might not needed at all at the end. So please somehow keep only the necessary checks you know its needed. |
@macskas do you have fork repository with your fix? not file attachment |
I created a fork & run the test for the changes: https://github.com/macskas/nginx-ssl-fingerprint |
Planning to use this module also, and I well know NGINX structures & ideoms. @macskas checked your patch, seems most of the fixes are valid. But I think that the root cause is inside patch of openssl lib, ex: https://github.com/phuslu/nginx-ssl-fingerprint/blob/master/patches/openssl.openssl-3.2.patch#L121, openssl checks ret: https://github.com/openssl/openssl/blob/master/include/internal/packet.h#L431; I believe it could memcpy NULL or something like that. Anyway I will test this idea. Btw quite not sure why h2 patch is such changes. I believe it could be simplified. By the end of this week or/and middle of the next week I'm planning to introduce patch, some of fixes I would like to take from yours (checking of npalloc() is correct fix, it should be checked). I will keep you posted here. |
I cannot reproduce the error with curl, I can't see it in the logs(segfaults before the log) and there are like 4k rps on a single server, so debug logs are not really an option :( In the core I see the orignal request url with gdb. But thats about it. If I call the url directly there is no error.
Today I tested with and without ja3 patch. Same build process (official openresty builder). With ja3, there is a segfault in every 10 minutes, without it no segfault at all.
The core contains sensitive information so I cannot share it publicly,
I know this is not much:
The text was updated successfully, but these errors were encountered: