ngx_http_variable_unknown_header() derefances null pointer
Franchoze Eric
franchoze at yandex.ru
Sat Sep 4 00:06:45 MSD 2010
Got segfault at src/http/ngx_http_upstream.c:3905
0.8.49
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)
ngx_int_t
ngx_http_upstream_header_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
if (r->upstream == NULL) {
v->not_found = 1;
return NGX_OK;
}
return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
&r->upstream->headers_in.headers.part,
sizeof("upstream_http_") - 1);
}
...
ngx_http_variable_unknown_header () {
v->len = header[i].value.len;
v->valid = 1;
}
[New process 6511]
#0 ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
at src/http/ngx_http_upstream.c:3905
3905 return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
(gdb) bt
#0 ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
at src/http/ngx_http_upstream.c:3905
#1 0x000000000816aab0 in ?? ()
#2 0x0000000000afa068 in ?? ()
#3 0x0000000000436a92 in ngx_http_upstream_check_broken_connection (r=0x1f3, ev=0x816aab0)
at src/http/ngx_http_upstream.c:1026
#4 0x0000000000436b17 in ngx_http_upstream_check_broken_connection (r=0x5, ev=0x0)
at src/http/ngx_http_upstream.c:1048
#5 0x0000000000464609 in ngx_http_memc_process_simple_header (r=0x816aab0)
at src/ngx_http_memc_response.c:3230
#6 0x0000000000889110 in ?? ()
#7 0x0000000000889110 in ?? ()
#8 0x000000000041d3b0 in ngx_worker_process_cycle (cycle=0xfffffffffffffffd, data=<value optimized out>)
at src/os/unix/ngx_process_cycle.c:775
#9 0x000000000041bcf7 in ngx_spawn_process (cycle=0x889110, proc=0x41d2e8 <ngx_worker_process_exit+356>,
data=0x0, name=0x12ad835865e <Address 0x12ad835865e out of bounds>, respawn=<value optimized out>)
at src/os/unix/ngx_process.c:189
#10 0x000000000041ca49 in ngx_start_worker_processes (cycle=0x816aab0, n=12, type=-3)
at src/os/unix/ngx_process_cycle.c:347
#11 0x000000000041d914 in ngx_master_process_cycle (cycle=0x889110) at src/os/unix/ngx_process_cycle.c:128
#12 0x00000000004044da in main (argc=22, argv=0x8880e0) at src/core/nginx.c:385
(gdb) up
#1 0x000000000816aab0 in ?? ()
(gdb) up
#2 0x0000000000afa068 in ?? ()
Core was generated by `nginx: worker process '.
Program terminated with signal 11, Segmentation fault.
[New process 6511]
#0 ngx_http_upstream_header_variable (r=0x816aab0, v=0x0, data=12618048)
at src/http/ngx_http_upstream.c:3905
3905 return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
(gdb) l
3900 if (r->upstream == NULL) {
3901 v->not_found = 1;
3902 return NGX_OK;
3903 }
3904
3905 return ngx_http_variable_unknown_header(v, (ngx_str_t *) data,
3906 &r->upstream->headers_in.headers.part,
3907 sizeof("upstream_http_") - 1);
3908 }
3909
(gdb) p r->upstream
$1 = (ngx_http_upstream_t *) 0xc08940
(gdb) p r->upstream->headers_in
$2 = {headers = {last = 0x4f4e20524f432050, part = {elts = 0x50206f4153502049,
nelts = 2329017704099300435, next = 0x56454420614d4441}, size = 6143508379677433953,
nalloc = 4705734159867650131, pool = 0x4f4320544e492056}, status_n = 6147448956320424013,
status_line = {len = 5931276225493606482,
data = 0x4946204145482045 <Address 0x4946204145482045 out of bounds>}, status = 0x4f502043544f204e,
date = 0x697078450a0d224c, server = 0x6e6f4d203a736572, connection = 0x6e614a203632202c,
expires = 0x3530203830303220, etag = 0x472030303a30303a, x_accel_expires = 0x7473614c0a0d544d,
x_accel_redirect = 0x65696669646f4d2d, x_accel_limit_rate = 0x202c697246203a64,
content_type = 0x3220706553203330, content_length = 0x323a353120303130,
last_modified = 0x544d472030313a37, location = 0x2d65686361430a0d, accept_ranges = 0x3a6c6f72746e6f43,
www_authenticate = 0x726f74732d6f6e20, content_encoding = 0x61632d6f6e202c65,
content_length_n = 8319675871588083811, cache_control = {elts = 0x696c617665722d74,
nelts = 8029953510654370148, size = 7738140083767571571, nalloc = 3271146530256203837,
pool = 0xd303d6b63656863}}
(gdb) p r->upstream->headers_in.part
There is no member named part.
(gdb) p r->upstream->headers_in.headers
$3 = {last = 0x4f4e20524f432050, part = {elts = 0x50206f4153502049, nelts = 2329017704099300435,
next = 0x56454420614d4441}, size = 6143508379677433953, nalloc = 4705734159867650131,
pool = 0x4f4320544e492056}
(gdb) p r->upstream->headers_in.headers.part
$4 = {elts = 0x50206f4153502049, nelts = 2329017704099300435, next = 0x56454420614d4441}
(gdb)
More information about the nginx-devel
mailing list