nginx 0.8.41 segfaults in ngx_list_push
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 21 22:18:33 MSD 2010
Hello!
On Mon, Jun 21, 2010 at 10:57:06AM -0700, Roman Vasilyev wrote:
> Hi,
>
> I'm not using any of this functions and as I can see mod_gzip not
> calling this functions too but is uses ngx_list_push.
>
> here is parts of my code:
>
> static ngx_int_t ngx_http_header_add(ngx_http_request_t *r, char
> *key, ngx_str_t value)
> {
> ngx_table_elt_t *h;
>
> if (!key || value.len==0)
> return -1;
>
> h = ngx_list_push(&r->headers_in.headers); <==
You shouldn't attempt to modify r->headers_in, it's not safe
operation to do.
And r->headers_in are known to sometimes be in an inconsistent
state - e.g. in subrequests, where they are partially copied from
parent request, but members needed for manipulations aren't
correctly initialized (as request headers were already parsed and
no further manipulations expected).
Further reading:
http://nginx.org/pipermail/nginx-devel/2010-February/000132.html
http://nginx.org/pipermail/nginx-devel/2010-February/000133.html
Maxim Dounin
More information about the nginx
mailing list