a bug in limit_request module

chen cw crk_world at yahoo.com.cn
Wed Aug 22 13:49:52 UTC 2012

       The red-black tree used in limit_request module has two level of
keys, the top is hash, and the next is the value string itself. However,
when inserting a new node into the tree, only hash is set, the value string
is left empty, as such code shows the whole thing:

445:        node->key = hash;
447:        ngx_rbtree_insert(&ctx->sh->rbtree, node);
449:        lr = (ngx_http_limit_req_node_t *) &node->color;
451:        ngx_queue_insert_head(&ctx->sh->queue, &lr->queue);
453:        lr->len = (u_char) len;
454:        lr->excess = 0;
456:        ngx_memcpy(lr->data, data, len);

         So there are chances nginx inserts a node which the value string
is large, into the left sub tree.

         The bugfix is to move line 447 to under line 456.


Charles Chen

Software Engineer

Server Platforms Team at Taobao.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120822/58a03eaf/attachment.html>

More information about the nginx-devel mailing list