Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Prevent UB when processing HTTP/2 body #866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Prevent UB when processing HTTP/2 body #866

wants to merge 1 commit into from
+4 −2

Conversation

@stepan-dolgorukov
Copy link

@stepan-dolgorukov stepan-dolgorukov commented Aug 25, 2025
edited
Loading

There's a source text that may cause undefined behavior (UB): the line 4112 of the file "src/http/v2/ngx_http_v2.c".

UB occurs when 'n' is added to pointer 'pos' when it is NULL. If 'pos' equals NULL, 'n' equals 0, then 'pos + n' produces UB in C, but not in C++. There is a proposal to allow 'NULL + 0' situations in C: N3322.

There're 3 calls of the function 'ngx_http_v2_process_request_body', in which a values of the arguments 'pos', 'n' arguments are fixed: 'pos' equals NULL, 'n' equals 0:

A message from UndefinedBehaviorSanitizer:

src/http/v2/ngx_http_v2.c:4013:17: runtime error: applying zero offset to null pointer
#0 0x55c6e5415ac2 in ngx_http_v2_process_request_body /var/lib/builder/build/nginx/src/http/v2/ngx_http_v2.c:4013:17
#1 0x55c6e54192f2 in ngx_http_v2_read_unbuffered_request_body /var/lib/builder/build/nginx/src/http/v2/ngx_http_v2.c:4305:10
#2 0x55c6e526c2ff in ngx_http_read_unbuffered_request_body /var/lib/builder/build/nginx/src/http/ngx_http_request_body.c:238:14
#3 0x55c6e5306d90 in ngx_http_upstream_send_request_body /var/lib/builder/build/nginx/src/http/ngx_http_upstream.c:2323:18
#4 0x55c6e52ed673 in ngx_http_upstream_send_request /var/lib/builder/build/nginx/src/http/ngx_http_upstream.c:2144:10
#5 0x55c6e52e8294 in ngx_http_upstream_send_request_handler /var/lib/builder/build/nginx/src/http/ngx_http_upstream.c:2387:5
#6 0x55c6e52e7cab in ngx_http_upstream_handler /var/lib/builder/build/nginx/src/http/ngx_http_upstream.c:1318:9
#7 0x55c6e51412bc in ngx_epoll_process_events /var/lib/builder/build/nginx/src/event/modules/ngx_epoll_module.c:930:17
#8 0x55c6e50e8c30 in ngx_process_events_and_timers /var/lib/builder/build/nginx/src/event/ngx_event.c:248:12
#9 0x55c6e5135770 in ngx_worker_process_cycle /var/lib/builder/build/nginx/src/os/unix/ngx_process_cycle.c:721:9
#10 0x55c6e5128ed8 in ngx_spawn_process /var/lib/builder/build/nginx/src/os/unix/ngx_process.c:199:9
#11 0x55c6e512fde5 in ngx_start_worker_processes /var/lib/builder/build/nginx/src/os/unix/ngx_process_cycle.c:344:9
#12 0x55c6e512ea68 in ngx_master_process_cycle /var/lib/builder/build/nginx/src/os/unix/ngx_process_cycle.c:130:5
#13 0x55c6e4fb35d6 in main /var/lib/builder/build/nginx/src/core/nginx.c:384:9
#14 0x7fc532fb0d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7fc532fb0e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#16 0x55c6e4f89af4 in _start (/var/lib/builder/build/build.ubsan/nginx+0x6eaaf4) (BuildId: 3757e30af8e95a8848efcba24fa9c9e8e7a65028)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/http/v2/ngx_http_v2.c:4013:17 in

Tested on nginx, builded with the last commit with hash code 481d28c (tag: release-1.28.0).

@stepan-dolgorukov stepan-dolgorukov force-pushed the prevent-ub-when-processing-http2-body branch 2 times, most recently from 5fd056c to bf4d72e Compare August 27, 2025 10:55
@stepan-dolgorukov stepan-dolgorukov force-pushed the prevent-ub-when-processing-http2-body branch from bf4d72e to 4b6f3ff Compare August 27, 2025 10:55
@pluknet
Copy link
Contributor

pluknet commented Sep 17, 2025

As you noted, there is a proposal (N322) to allow zero length operations on null pointers in the next C2Y Standard.
Note that it was accepted by WG14 nearly a year ago.
Neither of GCC and Clang seem to make optimizations based on this UB (details, as well as reasoning why adding these checks may harm, are to be found in the N3322 document).
That said, I don't see a need in immediate action to fix these UBsan warnings, they ought to go away with the next fixed tool update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stepan-dolgorukov @pluknet