possible problem with ngx_palloc_small()

Maksim Yevmenkin maksim.yevmenkin at gmail.com
Mon Aug 31 18:08:13 UTC 2020


a colleague of mine sent me this


There is a problem in ngx_palloc_small() if it is called with arg
'align' set true when the small buffer is almost exhausted such that
there are less bytes available in that buffer than the change in
alignment consumes

In that case, 'm' (the alignment adjusted start of the remainder of
the buffer) may move beyond the 'end' marker, meaning that p->d.end -
m becomes -ve.

Unfortunately, that subtraction is cast to a size_t (unsigned) and so
its comparison to '>= size' is very likely true, meaning that the
p->d.last is advanced beyond p->d.end and so memory already utilised
is returned. iI that happens to trample over bytes used for say the
p->large->next...->next chain, then a BUS error is likely

It seems that this can be addressed by :

 @@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
ngx_uint_t align)
             m = ngx_align_ptr(m, NGX_ALIGNMENT);

-        if ((size_t) (p->d.end - m) >= size) {
+        if (p->d.end >= (size + m)) {
             p->d.last = m + size;

             return m;

can someone please share thoughts, comments, etc?


More information about the nginx-devel mailing list