[PATCH] Fixed segfault if regex studies list allocation fails
Sergey Kandaurov
pluknet at nginx.com
Mon Apr 17 12:54:37 UTC 2023
> On 17 Apr 2023, at 07:47, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1681703207 -10800
> # Mon Apr 17 06:46:47 2023 +0300
> # Node ID 910ee4cb25e07423a40fa6951d62f74029e7db2d
> # Parent 5f1d05a21287ba0290dd3a17ad501595b442a194
> Fixed segfault if regex studies list allocation fails.
>
> The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
> and this used to cause NULL pointer dereference if allocation
> failed. Fix is to set cleanup handler only when allocation succeeds.
>
> diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
> --- a/src/core/ngx_regex.c
> +++ b/src/core/ngx_regex.c
> @@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle
> return NULL;
> }
>
> - cln->handler = ngx_regex_cleanup;
> - cln->data = rcf;
> -
> rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
> if (rcf->studies == NULL) {
> return NULL;
> }
>
> + cln->handler = ngx_regex_cleanup;
> + cln->data = rcf;
> +
> ngx_regex_studies = rcf->studies;
>
> return rcf;
Looks good.
On a related note, 2ca57257252d where it was seemingly
introduced, has a "Core:" log summary prefix.
--
Sergey Kandaurov
More information about the nginx-devel
mailing list