[quic] ngx_quic_input_handler Segmentation fault because c->udp->dgram is null

Gao,Yan(媒体云) gaoyan09 at baidu.com
Wed Jan 26 06:13:54 UTC 2022


I guess the problem function call chain: final_early_data(openssl)-> quic_set_encryption_secrets-> ngx_quic_set_encryption_secrets -> ngx_quic_init_streams -> ngx_ssl_ocsp_validate-> ngx_handle_read_event
But this connection->quic would always be null, and cannot jump to quic if branch in ngx_handle_read_event

Gao,Yan(ACG VCP)

发件人: "Gao,Yan(媒体云)" <gaoyan09 at baidu.com>
日期: 2022年1月26日 星期三 下午12:56
收件人: "nginx-devel at nginx.org" <nginx-devel at nginx.org>
主题: Re: [quic] ngx_quic_input_handler Segmentation fault because c->udp->dgram is null

>  Thank you for report!
>  Can you please enable debug and provide debug log?

Sorry, this is a very rare case, and do not know how to trigger this bug steadily
here is more data from the stack

p *c
$1 = {data = 0x7efd695c74c0, read = 0xf2aa990, write = 0xfa72ca0, fd = 5547, recv = 0x4a7c9a <ngx_udp_shared_recv>, send = 0x4ab5b9 <ngx_udp_unix_send>, recv_chain = 0x0,
  send_chain = 0x4ab7a7 <ngx_udp_unix_sendmsg_chain>, listening = 0x29cf140, sent = 0, log = 0x7efd695c73f0, pool = 0x7efd695c7330, type = 2, sockaddr = 0x7efd695c7380, socklen = 16,
  addr_text = {len = 15, data = 0x7efd695c74b0 "123.101.125.168.H\270(\v"}, proxy_protocol = 0x0, quic = 0x0, ssl = 0x1e491e8, udp = 0x1e49150, local_sockaddr = 0x7efd695c7440, local_socklen = 16,
  buffer = 0x7efd695c7450, queue = {prev = 0x0, next = 0x0}, number = 433923428, start_time = 3194843312, requests = 0, buffered = 0, log_error = 2, timedout = 0, error = 0,
  destroyed = 0, idle = 0, reusable = 0, close = 0, shared = 1, sendfile = 0, sndlowat = 0, tcp_nodelay = 0, tcp_nopush = 0, need_last_buf = 0}

p *c->ssl
$2 = {connection = 0x7efd708fdb00, session_ctx = 0x7efd69052970, last = 0, buf = 0x0, buffer_size = 16384,
  handler = 0x0, session = 0x0, save_session = 0x0, saved_read_handler = 0x0, saved_write_handler = 0x0, ocsp = 0x0, early_buf = 0 '\000', handshaked = 0, handshake_rejected = 0, renegotiation = 0,
  buffer = 1, sendfile = 0, no_wait_shutdown = 1, no_send_shutdown = 0, shutdown_without_free = 0, handshake_buffer_set = 0, try_early_data = 0, in_early = 0, in_ocsp = 0, early_preread = 0, write_blocked = 0}

And you can see it happened before handshaked

Gao,Yan(ACG VCP)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20220126/038be2d4/attachment.htm>


More information about the nginx-devel mailing list