possible problem with ngx_palloc_small()
Maksim Yevmenkin
maksim.yevmenkin at gmail.com
Mon Aug 31 18:08:13 UTC 2020
Hello,
a colleague of mine sent me this
==
There is a problem in ngx_palloc_small() if it is called with arg
'align' set true when the small buffer is almost exhausted such that
there are less bytes available in that buffer than the change in
alignment consumes
In that case, 'm' (the alignment adjusted start of the remainder of
the buffer) may move beyond the 'end' marker, meaning that p->d.end -
m becomes -ve.
Unfortunately, that subtraction is cast to a size_t (unsigned) and so
its comparison to '>= size' is very likely true, meaning that the
p->d.last is advanced beyond p->d.end and so memory already utilised
is returned. iI that happens to trample over bytes used for say the
p->large->next...->next chain, then a BUS error is likely
It seems that this can be addressed by :
@@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
ngx_uint_t align)
m = ngx_align_ptr(m, NGX_ALIGNMENT);
}
- if ((size_t) (p->d.end - m) >= size) {
+ if (p->d.end >= (size + m)) {
p->d.last = m + size;
return m;
==
can someone please share thoughts, comments, etc?
thanks,
max
More information about the nginx-devel
mailing list