[nginx] setting variable cause core when used by lua

洪志道 hongzhidao at gmail.com
Fri Feb 17 03:36:59 UTC 2017 

It works well now, thank you!

2017-02-16 22:14 GMT+08:00 Maxim Dounin <mdounin at mdounin.ru>:

> Hello!
>
> On Thu, Feb 16, 2017 at 03:51:24PM +0800, 洪志道 wrote:
>
> > Hi.
> >
> > diff -r da46bfc484ef src/http/ngx_http_variables.c
> > --- a/src/http/ngx_http_variables.c Mon Feb 13 21:45:01 2017 +0300
> > +++ b/src/http/ngx_http_variables.c Wed Feb 08 10:31:53 2017 +0800
> > @@ -783,6 +783,10 @@
> >      ssize_t    s, *sp;
> >      ngx_str_t  val;
> >
> > +    if (v->data == NULL) {
> > +        return;
> > +    }
> > +
> >      val.len = v->len;
> >      val.data = v->data;
> >
> >
> > The following will cause core file, I think it's better to deal with in
> > nginx.
> >
> > server {
> >     listen  8000;
> >
> >     location / {
> >         content_by_lua_block {
> >             ngx.var.limit_rate = size;  # size is undefined.
> >             ngx.say('hello lua');
> >         }
> >     }
>
> This looks like a bug in ngx_parse_size(), it incorrectly assumes
> that the input string is at least 1 character long.  And I believe
> it can be triggered without Lua too.
>
> Please test if the following patch fixes things for you:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1487253948 -10800
> #      Thu Feb 16 17:05:48 2017 +0300
> # Node ID 51c8df305d083bc57828f68cd6e709cacdcc41c0
> # Parent  be00ca08e41a69e585b6aff70a725ed6c9e1a876
> Fixed ngx_parse_size() / ngx_parse_offset() with 0-length strings.
>
> diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
> --- a/src/core/ngx_parse.c
> +++ b/src/core/ngx_parse.c
> @@ -17,6 +17,11 @@ ngx_parse_size(ngx_str_t *line)
>      ssize_t  size, scale, max;
>
>      len = line->len;
> +
> +    if (len == 0) {
> +        return NGX_ERROR;
> +    }
> +
>      unit = line->data[len - 1];
>
>      switch (unit) {
> @@ -58,6 +63,11 @@ ngx_parse_offset(ngx_str_t *line)
>      size_t  len;
>
>      len = line->len;
> +
> +    if (len == 0) {
> +        return NGX_ERROR;
> +    }
> +
>      unit = line->data[len - 1];
>
>      switch (unit) {
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170217/3ceb9b01/attachment.html>

More information about the nginx-devel mailing list