- Like many computer software topics, it is all about solving problems.
- Security within software is one of the most important parts.
- The purpose here is to secure applications to reduce the surface of attack vectors.
- Today we will be focusing in one particular solution.
David CARLIER devnexen
devnexen
/ proxy_v2_settings_reinit.py
Created
March 20, 2026 17:21
Reproducer: proxy_v2 ctx->settings/ctx->pings not reset on upstream reinit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| Reproducer for proxy_v2 ctx->settings / ctx->pings not reset on reinit. | |
| Demonstrates that the DoS counters accumulate across upstream retries, | |
| causing a healthy second upstream to be falsely rejected with | |
| "upstream sent too many settings frames". | |
| Usage: | |
| 1. Build nginx with --with-http_v2_module |
devnexen
/ poc_early_hints.py
Created
March 15, 2026 16:03
PoC: nginx early_hints_length not reset on upstream reinit (PR #1187)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| PoC: early_hints_length not reset on upstream reinit | |
| Demonstrates that when nginx retries a request to a second upstream | |
| after receiving 103 Early Hints from the first, the accumulated | |
| early_hints_length carries over, causing the second upstream's | |
| early hints to be incorrectly rejected as "too big". | |
| Bug location: src/http/ngx_http_upstream.c |
devnexen
/ gpu_numa_bench.rs
Last active
March 8, 2026 07:55
Benchmark: NVML API vs sysfs read for GPU NUMA node ID retrieval
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #![cfg(feature = "gpu-topology")] | |
| use nvml_wrapper::bitmasks::InitFlags; | |
| use nvml_wrapper::Nvml; | |
| use std::path::Path; | |
| use std::time::Instant; | |
| fn read_from_file<T: std::str::FromStr>(path: &Path) -> Option<T> { | |
| std::fs::read_to_string(path) | |
| .ok() |
devnexen
/ poc_stale_frames_grpc.py
Created
March 6, 2026 22:25
PoC: Stale HTTP/2 control frames leaked to new upstream on gRPC reinit (nginx PR #1136)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| PoC: Stale HTTP/2 control frames leaked to new upstream on grpc reinit. | |
| Demonstrates that without the ctx->out/ctx->in/ctx->busy = NULL fix in | |
| ngx_http_grpc_reinit_request(), PING ACK / SETTINGS ACK frames | |
| queued for a failed upstream connection are sent to the next upstream | |
| during a grpc_next_upstream retry. | |
| Setup: |
devnexen
/ poc_stale_frames.py
Created
March 6, 2026 15:44
PoC: Stale HTTP/2 control frames leaked to new upstream on proxy_v2 reinit (nginx PR #1135)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| PoC: Stale HTTP/2 control frames leaked to new upstream on reinit. | |
| Demonstrates that without the ctx->out = NULL fix in | |
| ngx_http_proxy_v2_reinit_request(), PING ACK / SETTINGS ACK frames | |
| queued for a failed upstream connection are sent to the next upstream | |
| during a proxy_next_upstream retry. | |
| Setup: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OpenBSD is originally a fork of NetBSD from 1995. | |
| Theo de Raadt who is the founder, was before a NetBSD developer until he eventually resigned due to strong disagreements with the rest of the Core Team. | |
| 1/ What makes OpenBSD different from other main *BSD ? | |
| - OpenBSD focuses more on security, striving through the releases to defeat most of incoming attacks and security threats, | |
| rather than pure performances and portability. | |
| - "Softwares will never be perfect" is the main motto from Theo himself, hence it is always an ongoing work. Most of security features are enabled by default, some cannot be possibly disabled (e.g. ASLR). | |
| - Similarly, apart of security, new features are rather applied in the longer term. | |
| - A release every 6 month, a release officially supported for 1 year (security fixes/errata backported). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <sys/capsicum.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| int | |
| main(int argc, char *argv[]) | |
| { | |
| int c, errs; | |
| u_int mod; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <sys/prctl.h> | |
| #include <seccomp.h> | |
| #include <fcntl.h> | |
| #include <unistd.h> | |
| #include <errno.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> |