NGINX crash

Maxim Dounin mdounin at mdounin.ru
Mon Aug 13 02:26:53 UTC 2012 

Hello!

On Fri, Aug 10, 2012 at 03:51:15PM -0400, double wrote:

[...]

> (gdb) fr 2
> #2  0x000000000046d5d2 in ngx_http_limit_req_handler (r=0x1b99faa0) at
> src/http/modules/ngx_http_limit_req_module.c:192
> 192     in src/http/modules/ngx_http_limit_req_module.c
> 
> (gdb) p *limit
> $1 = {shm_zone = 0x1b9319e8, burst = 10000, nodelay = 0}
> 
> (gdb) p *ctx
> $2 = {sh = 0x2af913765000, shpool = 0x2af913735000, rate = 2000, index =
> 2, var = {len = 9, data = 0x1b9580f9 "ipaddress"}, node = 0x0}
> 
> (gdb) p *vv
> $3 = {len = 194343136, valid = 1, no_cacheable = 0, not_found = 0,
> escape = 0, data = 0x0}

[...]

Ok, it looks like I see the problem.  It might be triggered if the 
same variable is used multiple times on a right side of a map.  
Attached patch should fix this.

Maxim Dounin
-------------- next part --------------
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1344824745 -14400
# Node ID 5f6bfa7fff58dcaf4610a6871cf696c1eb1ef7d8
# Parent  5f9a1c6f51c84964fd629d22f756aaa4cee80a94
Map: fixed optimization of variables as values.

Previous code incorrectly used ctx->var_values as an array of variable
pointers (not variables as it should).  Additionally, ctx->var_values
inspection failed to properly set var on match.

diff --git a/src/http/modules/ngx_http_map_module.c b/src/http/modules/ngx_http_map_module.c
--- a/src/http/modules/ngx_http_map_module.c
+++ b/src/http/modules/ngx_http_map_module.c
@@ -416,11 +416,12 @@ ngx_http_map(ngx_conf_t *cf, ngx_command
 
         for (i = 0; i < ctx->var_values.nelts; i++) {
             if (index == (ngx_int_t) var[i].data) {
+                var = &var[i];
                 goto found;
             }
         }
 
-        var = ngx_palloc(ctx->keys.pool, sizeof(ngx_http_variable_value_t));
+        var = ngx_array_push(&ctx->var_values);
         if (var == NULL) {
             return NGX_CONF_ERROR;
         }
@@ -431,13 +432,6 @@ ngx_http_map(ngx_conf_t *cf, ngx_command
         var->len = 0;
         var->data = (u_char *) index;
 
-        vp = ngx_array_push(&ctx->var_values);
-        if (vp == NULL) {
-            return NGX_CONF_ERROR;
-        }
-
-        *vp = var;
-
         goto found;
     }

More information about the nginx mailing list