[PATCH] Fastcgi: core dump was caused by duplicated request header

Maxim Dounin mdounin at mdounin.ru
Tue Jun 14 03:40:57 MSD 2011


Hello!

On Mon, Jun 13, 2011 at 10:56:55PM +0800, Simon Liu wrote:

> this is my new patch, I use bitmask and ngx_list.

I belive bitmask *and* list is overkill.  Nobody stops us from 
allocating correct amount of memory for bitmask on start.

Try the attached patch.

Maxim Dounin
-------------- next part --------------
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1308007960 -14400
# Node ID 2eb8da7bf784116d007c5d2159a06f77bf7bf361
# Parent  1c167244d2fdb064c159012c50a7ae3fd1ed254a
Fastcgi: fix fastcgi_param with "HTTP_".

diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -691,11 +691,12 @@ ngx_http_fastcgi_create_request(ngx_http
     u_char                        ch, *pos, *lowcase_key;
     size_t                        size, len, key_len, val_len, padding,
                                   allocated;
-    ngx_uint_t                    i, n, next, hash, header_params;
+    uintptr_t                    *ignored, m;
+    ngx_uint_t                    i, n, k, next, hash;
     ngx_buf_t                    *b;
     ngx_chain_t                  *cl, *body;
     ngx_list_part_t              *part;
-    ngx_table_elt_t              *header, **ignored;
+    ngx_table_elt_t              *header;
     ngx_http_script_code_pt       code;
     ngx_http_script_engine_t      e, le;
     ngx_http_fastcgi_header_t    *h;
@@ -703,7 +704,6 @@ ngx_http_fastcgi_create_request(ngx_http
     ngx_http_script_len_code_pt   lcode;
 
     len = 0;
-    header_params = 0;
     ignored = NULL;
 
     flcf = ngx_http_get_module_loc_conf(r, ngx_http_fastcgi_module);
@@ -737,7 +737,17 @@ ngx_http_fastcgi_create_request(ngx_http
         lowcase_key = NULL;
 
         if (flcf->header_params) {
-            ignored = ngx_palloc(r->pool, flcf->header_params * sizeof(void *));
+            part = &r->headers_in.headers.part;
+            k = 0;
+
+            while (part) {
+                k += part->nelts;
+                part = part->next;
+            }
+
+            n = (k + (8 * sizeof(uintptr_t) - 1)) / (8 * sizeof(uintptr_t));
+
+            ignored = ngx_pcalloc(r->pool, n * sizeof(uintptr_t));
             if (ignored == NULL) {
                 return NGX_ERROR;
             }
@@ -745,6 +755,7 @@ ngx_http_fastcgi_create_request(ngx_http
 
         part = &r->headers_in.headers.part;
         header = part->elts;
+        k = 0;
 
         for (i = 0; /* void */; i++) {
 
@@ -784,10 +795,16 @@ ngx_http_fastcgi_create_request(ngx_http
                 }
 
                 if (ngx_hash_find(&flcf->headers_hash, hash, lowcase_key, n)) {
-                    ignored[header_params++] = &header[i];
+                    n = k / (8 * sizeof(uintptr_t));
+                    m = (uintptr_t) 1 << k % (8 * sizeof(uintptr_t));
+
+                    ignored[n] |= m;
+
+                    k++;
                     continue;
                 }
 
+                k++;
                 n += sizeof("HTTP_") - 1;
 
             } else {
@@ -902,6 +919,7 @@ ngx_http_fastcgi_create_request(ngx_http
 
         part = &r->headers_in.headers.part;
         header = part->elts;
+        k = 0;
 
         for (i = 0; /* void */; i++) {
 
@@ -915,9 +933,13 @@ ngx_http_fastcgi_create_request(ngx_http
                 i = 0;
             }
 
-            for (n = 0; n < header_params; n++) {
-                if (&header[i] == ignored[n]) {
-                    goto next;
+            if (flcf->header_params) {
+                n = k / (8 * sizeof(uintptr_t));
+                m = (uintptr_t) 1 << k % (8 * sizeof(uintptr_t));
+                k++;
+
+                if (ignored[n] & m) {
+                    continue;
                 }
             }
 
@@ -964,9 +986,6 @@ ngx_http_fastcgi_create_request(ngx_http
                            "fastcgi param: \"%*s: %*s\"",
                            key_len, b->last - (key_len + val_len),
                            val_len, b->last - val_len);
-        next:
-
-            continue;
         }
     }
 


More information about the nginx-devel mailing list