[BUG] New memory invalid read regression in resolver since nginx 1.7.5
Yichun Zhang (agentzh)
agentzh at gmail.com
Tue Sep 30 22:51:40 UTC 2014
Hello!
On Tue, Sep 30, 2014 at 3:10 PM, Yichun Zhang (agentzh) wrote:
> ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
> "event timer del: %d: %M",
> ngx_event_ident(ev->data), ev->timer.key);
>
There is another issue here: it seems that ngx_event_ident() assumes
ev->data is an ngx_connection_t pointer:
#define ngx_event_ident(p) ((ngx_connection_t *) (p))->fd
But in fact, ev->data can point to any thing. Maybe it makes more
sense to just output the pointer value of ev->data here?
How about the following patch?
# HG changeset patch
# User Yichun Zhang <agentzh at gmail.com>
# Date 1412117428 25200
# Tue Sep 30 15:50:28 2014 -0700
# Node ID 1ff0f68d9376e3d184d65814a6372856bf65cfcd
# Parent a215d9021f137b9e2d4f69c37c7f992a2bef12c6
Event: ngx_event_ident should not assume ev->data to be an ngx_connection_t.
This change also fixes an invalid memory read in the resolver since 1.7.5
when --with-debug is used in the build.
diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event.h
--- a/src/event/ngx_event.h Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event.h Tue Sep 30 15:50:28 2014 -0700
@@ -526,7 +526,7 @@ ngx_int_t ngx_send_lowat(ngx_connection_
/* used in ngx_log_debugX() */
-#define ngx_event_ident(p) ((ngx_connection_t *) (p))->fd
+#define ngx_event_ident(p) (p)
#include <ngx_event_timer.h>
diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event_timer.c
--- a/src/event/ngx_event_timer.c Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event_timer.c Tue Sep 30 15:50:28 2014 -0700
@@ -99,7 +99,7 @@ ngx_event_expire_timers(void)
ev = (ngx_event_t *) ((char *) node -
offsetof(ngx_event_t, timer));
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
- "event timer del: %d: %M",
+ "event timer del: %p: %M",
ngx_event_ident(ev->data), ev->timer.key);
ngx_rbtree_delete(&ngx_event_timer_rbtree, &ev->timer);
diff -r a215d9021f13 -r 1ff0f68d9376 src/event/ngx_event_timer.h
--- a/src/event/ngx_event_timer.h Tue Sep 30 17:20:33 2014 +0400
+++ b/src/event/ngx_event_timer.h Tue Sep 30 15:50:28 2014 -0700
@@ -36,7 +36,7 @@ static ngx_inline void
ngx_event_del_timer(ngx_event_t *ev)
{
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
- "event timer del: %d: %M",
+ "event timer del: %p: %M",
ngx_event_ident(ev->data), ev->timer.key);
ngx_mutex_lock(ngx_event_timer_mutex);
@@ -75,7 +75,7 @@ ngx_event_add_timer(ngx_event_t *ev, ngx
if (ngx_abs(diff) < NGX_TIMER_LAZY_DELAY) {
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ev->log, 0,
- "event timer: %d, old: %M, new: %M",
+ "event timer: %p, old: %M, new: %M",
ngx_event_ident(ev->data), ev->timer.key, key);
return;
}
@@ -86,7 +86,7 @@ ngx_event_add_timer(ngx_event_t *ev, ngx
ev->timer.key = key;
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ev->log, 0,
- "event timer add: %d: %M:%M",
+ "event timer add: %p: %M:%M",
ngx_event_ident(ev->data), timer, ev->timer.key);
ngx_mutex_lock(ngx_event_timer_mutex);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: event-ident.patch
Type: text/x-patch
Size: 2764 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140930/951e46f4/attachment.bin>
More information about the nginx-devel
mailing list