A bug with geo module which may cause Nginx segment fault.

姚伟斌 nbubingo at gmail.com
Thu Aug 16 08:46:05 UTC 2012


We found a bug with geo module. If you use geo module with range
directive, but you don't add the default directive, it'll cause a
segment fault.

The test configure is like this:

http {

  geo $geo {
     ranges;   1;

  server {
      listen 80;

      location / {
         set $test $geo;
         root   html;
         index  index.html index.htm;


The reason is that configure structure value is assigned to the geo
structure before the default value initialized. You can see the code
in the geo module:

 geo->u.high = ctx.high;

  var->get_handler = ngx_http_geo_range_variable;
  var->data = (uintptr_t) geo;

  if (ctx.high.default_value == NULL) {
        ctx.high.default_value = &ngx_http_variable_null_value;

The variable of ctx is allocated by stack. And the member variable
ctx.high is structure, not a pointer.

The attachment is our patch for this bug.  The man who first found
this bug is Zhen Chen ( gongyuan.cz at taobao.com ) in our team.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: geo.patch
Type: application/octet-stream
Size: 797 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120816/d9849b32/attachment.obj>

More information about the nginx-devel mailing list