[nginx] setting variable cause core when used by lua
Maxim Dounin
mdounin at mdounin.ru
Thu Feb 16 14:14:47 UTC 2017
Hello!
On Thu, Feb 16, 2017 at 03:51:24PM +0800, 洪志道 wrote:
> Hi.
>
> diff -r da46bfc484ef src/http/ngx_http_variables.c
> --- a/src/http/ngx_http_variables.c Mon Feb 13 21:45:01 2017 +0300
> +++ b/src/http/ngx_http_variables.c Wed Feb 08 10:31:53 2017 +0800
> @@ -783,6 +783,10 @@
> ssize_t s, *sp;
> ngx_str_t val;
>
> + if (v->data == NULL) {
> + return;
> + }
> +
> val.len = v->len;
> val.data = v->data;
>
>
> The following will cause core file, I think it's better to deal with in
> nginx.
>
> server {
> listen 8000;
>
> location / {
> content_by_lua_block {
> ngx.var.limit_rate = size; # size is undefined.
> ngx.say('hello lua');
> }
> }
This looks like a bug in ngx_parse_size(), it incorrectly assumes
that the input string is at least 1 character long. And I believe
it can be triggered without Lua too.
Please test if the following patch fixes things for you:
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1487253948 -10800
# Thu Feb 16 17:05:48 2017 +0300
# Node ID 51c8df305d083bc57828f68cd6e709cacdcc41c0
# Parent be00ca08e41a69e585b6aff70a725ed6c9e1a876
Fixed ngx_parse_size() / ngx_parse_offset() with 0-length strings.
diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -17,6 +17,11 @@ ngx_parse_size(ngx_str_t *line)
ssize_t size, scale, max;
len = line->len;
+
+ if (len == 0) {
+ return NGX_ERROR;
+ }
+
unit = line->data[len - 1];
switch (unit) {
@@ -58,6 +63,11 @@ ngx_parse_offset(ngx_str_t *line)
size_t len;
len = line->len;
+
+ if (len == 0) {
+ return NGX_ERROR;
+ }
+
unit = line->data[len - 1];
switch (unit) {
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list