<div>Hi,</div><div> The red-black tree used in limit_request module has two level of keys, the top is hash, and the next is the value string itself. However, when inserting a new node into the tree, only hash is set, the value string is left empty, as such code shows the whole thing:<br>
</div><div><br></div><div>445: node->key = hash;<br>446:<br>447: ngx_rbtree_insert(&ctx->sh->rbtree, node);<br>448:<br>449: lr = (ngx_http_limit_req_node_t *) &node->color;<br>
450:<br>451: ngx_queue_insert_head(&ctx->sh->queue, &lr->queue);<br>452:<br>453: lr->len = (u_char) len;<br>454: lr->excess = 0;<br>455:<br>456: ngx_memcpy(lr->data, data, len);<br>
</div><div><br></div><div> So there are chances nginx inserts a node which the value string is large, into the left sub tree.</div><div><br></div><div> The bugfix is to move line 447 to under line 456.<br>
</div><div><br></div><div><span lang="EN-US">--</span></div>
<p><span lang="EN-US">Charles Chen</span></p>
<p><span lang="EN-US">Software Engineer</span></p>
<p><span lang="EN-US">Server Platforms Team at Taobao.com</span><br></p><br>