[PATCH] Fixing an obvious segfault in ngx_http_upstream
Igor Sysoev
igor at sysoev.ru
Mon May 3 23:11:35 MSD 2010
On Sat, May 01, 2010 at 11:45:15AM +0800, agentzh wrote:
> Hi,
>
> I ran into a segfault while debugging one of my modules due to a bug
> in the ngx_http_upstream_create function. Here's the quick patch
>
> diff -udTr nginx-0.8.36/src/http/ngx_http_upstream.c
> nginx-0.8.36-patched/src/http/ngx_http_upstream.c
> --- nginx-0.8.36/src/http/ngx_http_upstream.c 2010-01-30
> 00:45:14.000000000 +0800
> +++ nginx-0.8.36-patched/src/http/ngx_http_upstream.c 2010-05-01
> 11:40:40.252227964 +0800
> @@ -365,8 +365,6 @@
> if (u && u->cleanup) {
> r->main->count++;
> ngx_http_upstream_cleanup(r);
> - *u->cleanup = NULL;
> - u->cleanup = NULL;
> }
>
> u = ngx_pcalloc(r->pool, sizeof(ngx_http_upstream_t));
>
> That is, ngx_http_upstream_cleanup will also clear both *u->cleanup
> and u->cleanup, so doing *u->cleanup = NULL again after the call will
> cause segfault (writing to a NULL pointer). This issue exists in nginx
> 0.8.36 and as old as at 0.8.29 :)
You should test u->cleanup before *u->cleanup = NULL.
This code has appeared in 0.8.33:
*) Bugfix: if a proxied or FastCGI request was internally redirected to
another proxied or FastCGI location, then $upstream_response_time
variable may have abnormally large value; the bug had appeared in
0.8.7.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx-devel
mailing list