A coredump risk in core/ngx_resolver.c
Maxim Dounin
mdounin at mdounin.ru
Fri Feb 3 10:54:30 UTC 2012
Hello!
On Fri, Feb 03, 2012 at 02:02:12PM +0800, devfua wrote:
> /* convert "www.example.com" to "\3www\7example\3com\0" */
>
>
> len = 0;
> p--;
> *p-- = '\0';
>
>
> for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
> if (*s != '.') {
> *p = *s;
> len++;
>
>
> } else {
> if (len == 0) {
> return NGX_DECLINED;
> }
>
>
> *p = (u_char) len;
> len = 0;
> }
>
>
> p--;
> }
>
>
> *p = (u_char) len;
>
>
>
> line 1778
> if (*s != '.') {
>
>
> if ctx->name.data = 0x0 ctx->name.len = 0
> s = 0xffffffff
>
>
> *s will cause segment fault。
Nice catch, thanks.
This is not expected to happen with current code, as ngx_resolve_name()
is never called with ctx->name set to { NULL, 0 }. Though it
needs fixing anyway. Care to provide a patch?
Maxim Dounin
More information about the nginx-devel
mailing list