possible problem with ngx_palloc_small()
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 1 13:19:19 UTC 2020
Hello!
On Mon, Aug 31, 2020 at 11:08:13AM -0700, Maksim Yevmenkin wrote:
> Hello,
>
> a colleague of mine sent me this
>
> ==
>
> There is a problem in ngx_palloc_small() if it is called with arg
> 'align' set true when the small buffer is almost exhausted such that
> there are less bytes available in that buffer than the change in
> alignment consumes
>
> In that case, 'm' (the alignment adjusted start of the remainder of
> the buffer) may move beyond the 'end' marker, meaning that p->d.end -
> m becomes -ve.
>
> Unfortunately, that subtraction is cast to a size_t (unsigned) and so
> its comparison to '>= size' is very likely true, meaning that the
> p->d.last is advanced beyond p->d.end and so memory already utilised
> is returned. iI that happens to trample over bytes used for say the
> p->large->next...->next chain, then a BUS error is likely
>
> It seems that this can be addressed by :
>
> @@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
> ngx_uint_t align)
> m = ngx_align_ptr(m, NGX_ALIGNMENT);
> }
>
> - if ((size_t) (p->d.end - m) >= size) {
> + if (p->d.end >= (size + m)) {
> p->d.last = m + size;
>
> return m;
> ==
>
> can someone please share thoughts, comments, etc?
https://trac.nginx.org/nginx/ticket/686
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list