[PATCH] Fixing memory overflow issues in ngx_resolver's debug logging code
agentzh
agentzh at gmail.com
Fri Jun 1 10:14:58 UTC 2012
Hello!
I've noticed a small memory overflow issue in ngx_resolver's debug
logging code that was caught by Valgrind/Memcheck on Linux x86_64.
Basically, when calling ngx_log_debug6 from within
ngx_resolver_process_response, the "%ui" formatter is incorrectly used
for int-typed values "(query->nns_hi << 8) + query->nns_lo" and
"(query->nar_hi << 8) + query->nar_lo".
Below attaches a patch for nginx 1.3.0 :)
Hope this helps,
-agentzh
--- nginx-1.3.0/src/core/ngx_resolver.c 2012-05-14 17:13:45.000000000 +0800
+++ nginx-1.3.0-patched/src/core/ngx_resolver.c 2012-06-01
18:08:06.512047421 +0800
@@ -1035,7 +1035,7 @@
nan = (query->nan_hi << 8) + query->nan_lo;
ngx_log_debug6(NGX_LOG_DEBUG_CORE, r->log, 0,
- "resolver DNS response %ui fl:%04Xui %ui/%ui/%ui/%ui",
+ "resolver DNS response %ui fl:%04Xui %ui/%ui/%ud/%ud",
ident, flags, nqs, nan,
(query->nns_hi << 8) + query->nns_lo,
(query->nar_hi << 8) + query->nar_lo);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-1.3.0-resolver_debug_log_overflow.patch
Type: application/octet-stream
Size: 594 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120601/58e8ae1b/attachment.obj>
More information about the nginx-devel
mailing list