From 26a57486f013abff616be8345e542c15419f0759 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Fri, 1 Jun 2018 16:53:02 +0300
Subject: [PATCH] Events: fixed handling zero-length client address.

On Linux recvmsg() syscall may return a zero-length client address when
receiving a datagram from an unbound unix datagram socket.  It is usually
assumed that socket address has at least the sa_family member.  Zero-length
socket address caused buffer over-read in functions which receive socket
address, for example ngx_sock_ntop().  Typically the over-read resulted in
unexpected socket family followed by session close.  Now a fake socket address
is allocated instead of a zero-length client address.
---
 src/event/ngx_event_accept.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
index 775637090..7e9f742a0 100644
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -448,6 +448,18 @@ ngx_event_recvmsg(ngx_event_t *ev)
             c->socklen = sizeof(ngx_sockaddr_t);
         }
 
+        if (c->socklen == 0) {
+
+            /*
+             * on Linux recvmsg() returns zero msg_namelen
+             * when receiving packets from unbound AF_UNIX sockets
+             */
+
+            c->socklen = sizeof(struct sockaddr);
+            ngx_memzero(&sa, sizeof(struct sockaddr));
+            sa.sockaddr.sa_family = ls->sockaddr->sa_family;
+        }
+
 #if (NGX_STAT_STUB)
         (void) ngx_atomic_fetch_add(ngx_stat_active, 1);
 #endif