ngx_http_variable_unknown_header() derefances null pointer

Franchoze Eric franchoze at yandex.ru
Sat Sep 4 00:06:45 MSD 2010


Got segfault at src/http/ngx_http_upstream.c:3905

0.8.49
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)

ngx_int_t
ngx_http_upstream_header_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
{
    if (r->upstream == NULL) {
        v->not_found = 1;
        return NGX_OK;
    }

    return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
                                         &r->upstream->headers_in.headers.part,
                                         sizeof("upstream_http_") - 1);
}

...
ngx_http_variable_unknown_header () {
            v->len = header[i].value.len;
            v->valid = 1;

}


[New process 6511]
#0  ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
    at src/http/ngx_http_upstream.c:3905
3905	    return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
(gdb) bt
#0  ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
    at src/http/ngx_http_upstream.c:3905
#1  0x000000000816aab0 in ?? ()
#2  0x0000000000afa068 in ?? ()
#3  0x0000000000436a92 in ngx_http_upstream_check_broken_connection (r=0x1f3, ev=0x816aab0)
    at src/http/ngx_http_upstream.c:1026
#4  0x0000000000436b17 in ngx_http_upstream_check_broken_connection (r=0x5, ev=0x0)
    at src/http/ngx_http_upstream.c:1048
#5  0x0000000000464609 in ngx_http_memc_process_simple_header (r=0x816aab0)
    at src/ngx_http_memc_response.c:3230
#6  0x0000000000889110 in ?? ()
#7  0x0000000000889110 in ?? ()
#8  0x000000000041d3b0 in ngx_worker_process_cycle (cycle=0xfffffffffffffffd, data=<value optimized out>)
    at src/os/unix/ngx_process_cycle.c:775
#9  0x000000000041bcf7 in ngx_spawn_process (cycle=0x889110, proc=0x41d2e8 <ngx_worker_process_exit+356>, 
    data=0x0, name=0x12ad835865e <Address 0x12ad835865e out of bounds>, respawn=<value optimized out>)
    at src/os/unix/ngx_process.c:189
#10 0x000000000041ca49 in ngx_start_worker_processes (cycle=0x816aab0, n=12, type=-3)
    at src/os/unix/ngx_process_cycle.c:347
#11 0x000000000041d914 in ngx_master_process_cycle (cycle=0x889110) at src/os/unix/ngx_process_cycle.c:128
#12 0x00000000004044da in main (argc=22, argv=0x8880e0) at src/core/nginx.c:385
(gdb) up
#1  0x000000000816aab0 in ?? ()
(gdb) up
#2  0x0000000000afa068 in ?? ()












Core was generated by `nginx: worker process                   '.
Program terminated with signal 11, Segmentation fault.
[New process 6511]
#0  ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
    at src/http/ngx_http_upstream.c:3905
3905	    return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
(gdb) l
3900	    if (r->upstream == NULL) {
3901	        v->not_found = 1;
3902	        return NGX_OK;
3903	    }
3904	
3905	    return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
3906	                                         &r->upstream->headers_in.headers.part,
3907	                                         sizeof("upstream_http_") - 1);
3908	}
3909	
(gdb) p r->upstream
$1 = (ngx_http_upstream_t *) 0xc08940
(gdb) p r->upstream->headers_in
$2 = {headers = {last = 0x4f4e20524f432050, part = {elts = 0x50206f4153502049, 
      nelts = 2329017704099300435, next = 0x56454420614d4441}, size = 6143508379677433953, 
    nalloc = 4705734159867650131, pool = 0x4f4320544e492056}, status_n = 6147448956320424013, 
  status_line = {len = 5931276225493606482, 
    data = 0x4946204145482045 <Address 0x4946204145482045 out of bounds>}, status = 0x4f502043544f204e, 
  date = 0x697078450a0d224c, server = 0x6e6f4d203a736572, connection = 0x6e614a203632202c, 
  expires = 0x3530203830303220, etag = 0x472030303a30303a, x_accel_expires = 0x7473614c0a0d544d, 
  x_accel_redirect = 0x65696669646f4d2d, x_accel_limit_rate = 0x202c697246203a64, 
  content_type = 0x3220706553203330, content_length = 0x323a353120303130, 
  last_modified = 0x544d472030313a37, location = 0x2d65686361430a0d, accept_ranges = 0x3a6c6f72746e6f43, 
  www_authenticate = 0x726f74732d6f6e20, content_encoding = 0x61632d6f6e202c65, 
  content_length_n = 8319675871588083811, cache_control = {elts = 0x696c617665722d74, 
    nelts = 8029953510654370148, size = 7738140083767571571, nalloc = 3271146530256203837, 
    pool = 0xd303d6b63656863}}
(gdb) p r->upstream->headers_in.part
There is no member named part.
(gdb) p r->upstream->headers_in.headers
$3 = {last = 0x4f4e20524f432050, part = {elts = 0x50206f4153502049, nelts = 2329017704099300435, 
    next = 0x56454420614d4441}, size = 6143508379677433953, nalloc = 4705734159867650131, 
  pool = 0x4f4320544e492056}
(gdb) p r->upstream->headers_in.headers.part
$4 = {elts = 0x50206f4153502049, nelts = 2329017704099300435, next = 0x56454420614d4441}
(gdb) 








More information about the nginx-devel mailing list