|
| 1 | +From 8a1de7eceb8c836d85868386814abe50c74d6f84 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Roman Arutyunyan <arut@nginx.com> |
| 3 | +Date: Thu, 29 Jan 2026 13:27:32 +0400 |
| 4 | +Subject: [PATCH] Upstream: detect premature plain text response from SSL |
| 5 | + backend. |
| 6 | + |
| 7 | +When connecting to a backend, the connection write event is triggered |
| 8 | +first in most cases. However if a response arrives quickly enough, both |
| 9 | +read and write events can be triggered together within the same event loop |
| 10 | +iteration. In this case the read event handler is called first and the |
| 11 | +write event handler is called after it. |
| 12 | + |
| 13 | +SSL initialization for backend connections happens only in the write event |
| 14 | +handler since SSL handshake starts with sending Client Hello. Previously, |
| 15 | +if a backend sent a quick plain text response, it could be parsed by the |
| 16 | +read event handler prior to starting SSL handshake on the connection. |
| 17 | +The change adds protection against parsing such responses on SSL-enabled |
| 18 | +connections. |
| 19 | + |
| 20 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 21 | +Upstream-reference: https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e.patch |
| 22 | +--- |
| 23 | + src/http/ngx_http_upstream.c | 9 +++++++++ |
| 24 | + 1 file changed, 9 insertions(+) |
| 25 | + |
| 26 | +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c |
| 27 | +index ded833c..a567226 100644 |
| 28 | +--- a/src/http/ngx_http_upstream.c |
| 29 | ++++ b/src/http/ngx_http_upstream.c |
| 30 | +@@ -2443,6 +2443,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) |
| 31 | + return; |
| 32 | + } |
| 33 | + |
| 34 | ++#if (NGX_HTTP_SSL) |
| 35 | ++ if (u->ssl && c->ssl == NULL) { |
| 36 | ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, |
| 37 | ++ "upstream prematurely sent response"); |
| 38 | ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); |
| 39 | ++ return; |
| 40 | ++ } |
| 41 | ++#endif |
| 42 | ++ |
| 43 | + u->state->bytes_received += n; |
| 44 | + |
| 45 | + u->buffer.last += n; |
| 46 | +-- |
| 47 | +2.45.4 |
| 48 | + |
0 commit comments