update nginx to v1.27.1

CHANGES

@@ -1,4 +1,20 @@
 
+Changes with nginx 1.27.1                                        14 Aug 2024
+
+    *) Security: processing of a specially crafted mp4 file by the
+       ngx_http_mp4_module might cause a worker process crash
+       (CVE-2024-7347).
+       Thanks to Nils Bars.
+
+    *) Change: now the stream module handler is not mandatory.
+
+    *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
+       worker processes.
+       Thanks to Kasei Wang.
+
+    *) Bugfixes in HTTP/3.
+
+
 Changes with nginx 1.27.0                                        29 May 2024
 
     *) Security: when using HTTP/3, processing of a specially crafted QUIC
@@ -15,7 +31,7 @@ Changes with nginx 1.27.0                                        29 May 2024
     *) Bugfix: reduced memory consumption for long-lived requests if "gzip",
        "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
 
-    *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
+    *) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic
        option was used.
        Thanks to Edgar Bonet.
 

CHANGES.ru

@@ -1,4 +1,21 @@
 
+Изменения в nginx 1.27.1                                          14.08.2024
+
+    *) Безопасность: обработка специально созданного mp4-файла модулем
+       ngx_http_mp4_module могла приводить к падению рабочего процесса
+       (CVE-2024-7347).
+       Спасибо Nils Bars.
+
+    *) Изменение: теперь обработчик в модуле stream не является
+       обязательным.
+
+    *) Исправление: новые HTTP/2-соединения могли игнорировать плавное
+       завершение старых рабочих процессов.
+       Спасибо Kasei Wang.
+
+    *) Исправления в HTTP/3.
+
+
 Изменения в nginx 1.27.0                                          29.05.2024
 
     *) Безопасность: при использовании HTTP/3 обработка специально созданной
@@ -16,7 +33,7 @@
        grpc_pass.
 
     *) Исправление: nginx не собирался gcc 14, если использовался параметр
-       --with-atomic.
+       --with-libatomic.
        Спасибо Edgar Bonet.
 
     *) Исправления в HTTP/3.

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1027000
-#define NGINX_VERSION      "1.27.0"
+#define nginx_version      1027001
+#define NGINX_VERSION      "1.27.1"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/event/quic/ngx_event_quic.c

@@ -1022,6 +1022,16 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt)
         }
     }
 
+    if (pkt->level == ssl_encryption_application) {
+        /*
+         * RFC 9001, 4.9.3.  Discarding 0-RTT Keys
+         *
+         * After receiving a 1-RTT packet, servers MUST discard
+         * 0-RTT keys within a short time
+         */
+        ngx_quic_discard_ctx(c, ssl_encryption_early_data);
+    }
+
     if (qc->closing) {
         /*
          * RFC 9000, 10.2.  Immediate Close

src/event/quic/ngx_event_quic_protection.c

@@ -743,8 +743,15 @@ ngx_quic_keys_discard(ngx_quic_keys_t *keys,
     ngx_quic_crypto_hp_cleanup(client);
     ngx_quic_crypto_hp_cleanup(server);
 
-    ngx_explicit_memzero(client->secret.data, client->secret.len);
-    ngx_explicit_memzero(server->secret.data, server->secret.len);
+    if (client->secret.len) {
+        ngx_explicit_memzero(client->secret.data, client->secret.len);
+        client->secret.len = 0;
+    }
+
+    if (server->secret.len) {
+        ngx_explicit_memzero(server->secret.data, server->secret.len);
+        server->secret.len = 0;
+    }
 }
 
 
@@ -844,6 +851,9 @@ ngx_quic_keys_update(ngx_event_t *ev)
     ngx_explicit_memzero(current->server.secret.data,
                          current->server.secret.len);
 
+    current->client.secret.len = 0;
+    current->server.secret.len = 0;
+
     ngx_explicit_memzero(client_key.data, client_key.len);
     ngx_explicit_memzero(server_key.data, server_key.len);
 
@@ -870,10 +880,17 @@ ngx_quic_keys_cleanup(ngx_quic_keys_t *keys)
     ngx_quic_crypto_cleanup(&next->client);
     ngx_quic_crypto_cleanup(&next->server);
 
-    ngx_explicit_memzero(next->client.secret.data,
-                         next->client.secret.len);
-    ngx_explicit_memzero(next->server.secret.data,
-                         next->server.secret.len);
+    if (next->client.secret.len) {
+        ngx_explicit_memzero(next->client.secret.data,
+                             next->client.secret.len);
+        next->client.secret.len = 0;
+    }
+
+    if (next->server.secret.len) {
+        ngx_explicit_memzero(next->server.secret.data,
+                             next->server.secret.len);
+        next->server.secret.len = 0;
+    }
 }
 
 

src/http/modules/ngx_http_mp4_module.c

@@ -3099,7 +3099,8 @@ static ngx_int_t
 ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
 {
-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
+    uint64_t               n;
+    uint32_t               start_sample, chunk, samples, id, next_chunk,
                            prev_samples;
     ngx_buf_t             *data, *buf;
     ngx_uint_t             entries, target_chunk, chunk_samples;
@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
         next_chunk = ngx_mp4_get_32value(entry->chunk);
 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                        "sample:%uD, chunk:%uD, chunks:%uD, "
                        "samples:%uD, id:%uD",
                        start_sample, chunk, next_chunk - chunk, samples, id);
 
-        n = (next_chunk - chunk) * samples;
+        n = (uint64_t) (next_chunk - chunk) * samples;
 
         if (start_sample < n) {
             goto found;
@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
                    start_sample, chunk, next_chunk - chunk, samples);
 
-    n = (next_chunk - chunk) * samples;
+    n = (uint64_t) (next_chunk - chunk) * samples;
 
     if (start_sample > n) {
         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,

src/http/v2/ngx_http_v2.c

@@ -292,6 +292,11 @@ ngx_http_v2_init(ngx_event_t *rev)
 
     c->data = h2c;
 
+    if (ngx_exiting) {
+        ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);
+        return;
+    }
+
     rev->handler = ngx_http_v2_read_handler;
     c->write->handler = ngx_http_v2_write_handler;
 

src/stream/ngx_stream_core_module.c

@@ -458,6 +458,13 @@ ngx_stream_core_content_phase(ngx_stream_session_t *s,
         return NGX_OK;
     }
 
+    if (cscf->handler == NULL) {
+        ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
+                       "no handler for server");
+        ngx_stream_finalize_session(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+        return NGX_OK;
+    }
+
     cscf->handler(s);
 
     return NGX_OK;
@@ -734,13 +741,6 @@ ngx_stream_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         conf->resolver = prev->resolver;
     }
 
-    if (conf->handler == NULL) {
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                      "no handler for server in %s:%ui",
-                      conf->file_name, conf->line);
-        return NGX_CONF_ERROR;
-    }
-
     if (conf->error_log == NULL) {
         if (prev->error_log) {
             conf->error_log = prev->error_log;

src/stream/ngx_stream_ssl_preread_module.c

@@ -519,7 +519,7 @@ ngx_stream_ssl_preread_servername(ngx_stream_session_t *s,
 
     host = *servername;
 
-    rc = ngx_stream_validate_host(&host, c->pool, 1);
+    rc = ngx_stream_validate_host(&host, c->pool, 0);
 
     if (rc == NGX_ERROR) {
         return NGX_ERROR;