a bug in limit_request module
chen cw
crk_world at yahoo.com.cn
Wed Aug 22 13:49:52 UTC 2012
Hi,
The red-black tree used in limit_request module has two level of
keys, the top is hash, and the next is the value string itself. However,
when inserting a new node into the tree, only hash is set, the value string
is left empty, as such code shows the whole thing:
445: node->key = hash;
446:
447: ngx_rbtree_insert(&ctx->sh->rbtree, node);
448:
449: lr = (ngx_http_limit_req_node_t *) &node->color;
450:
451: ngx_queue_insert_head(&ctx->sh->queue, &lr->queue);
452:
453: lr->len = (u_char) len;
454: lr->excess = 0;
455:
456: ngx_memcpy(lr->data, data, len);
So there are chances nginx inserts a node which the value string
is large, into the left sub tree.
The bugfix is to move line 447 to under line 456.
--
Charles Chen
Software Engineer
Server Platforms Team at Taobao.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120822/58a03eaf/attachment.html>
More information about the nginx-devel
mailing list