[PATCH] Fixing an obvious segfault in ngx_http_upstream

Igor Sysoev igor at sysoev.ru
Mon May 3 23:11:35 MSD 2010


On Sat, May 01, 2010 at 11:45:15AM +0800, agentzh wrote:

> Hi,
> 
> I ran into a segfault while debugging one of my modules due to a bug
> in the ngx_http_upstream_create function. Here's the quick patch
> 
> diff -udTr nginx-0.8.36/src/http/ngx_http_upstream.c
> nginx-0.8.36-patched/src/http/ngx_http_upstream.c
> --- nginx-0.8.36/src/http/ngx_http_upstream.c	2010-01-30
> 00:45:14.000000000 +0800
> +++ nginx-0.8.36-patched/src/http/ngx_http_upstream.c	2010-05-01
> 11:40:40.252227964 +0800
> @@ -365,8 +365,6 @@
> 	    if (u && u->cleanup) {
> 	        r->main->count++;
> 	        ngx_http_upstream_cleanup(r);
> -	        *u->cleanup = NULL;
> -	        u->cleanup = NULL;
> 	    }
> 	
> 	    u = ngx_pcalloc(r->pool, sizeof(ngx_http_upstream_t));
> 
> That is, ngx_http_upstream_cleanup will also clear both *u->cleanup
> and u->cleanup, so doing *u->cleanup = NULL again after the call will
> cause segfault (writing to a NULL pointer). This issue exists in nginx
> 0.8.36 and as old as at 0.8.29 :)

You should test u->cleanup before *u->cleanup = NULL.
This code has appeared in 0.8.33:

    *) Bugfix: if a proxied or FastCGI request was internally redirected to 
       another proxied or FastCGI location, then $upstream_response_time 
       variable may have abnormally large value; the bug had appeared in 
       0.8.7.


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx-devel mailing list