a bug in limit_request module

chen cw crk_world at yahoo.com.cn
Wed Aug 22 13:49:52 UTC 2012


Hi,
       The red-black tree used in limit_request module has two level of
keys, the top is hash, and the next is the value string itself. However,
when inserting a new node into the tree, only hash is set, the value string
is left empty, as such code shows the whole thing:

445:        node->key = hash;
446:
447:        ngx_rbtree_insert(&ctx->sh->rbtree, node);
448:
449:        lr = (ngx_http_limit_req_node_t *) &node->color;
450:
451:        ngx_queue_insert_head(&ctx->sh->queue, &lr->queue);
452:
453:        lr->len = (u_char) len;
454:        lr->excess = 0;
455:
456:        ngx_memcpy(lr->data, data, len);

         So there are chances nginx inserts a node which the value string
is large, into the left sub tree.

         The bugfix is to move line 447 to under line 456.

--

Charles Chen

Software Engineer

Server Platforms Team at Taobao.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120822/58a03eaf/attachment.html>


More information about the nginx-devel mailing list