nginx 0.8.41 segfaults in ngx_list_push

Maxim Dounin mdounin at
Mon Jun 21 22:18:33 MSD 2010


On Mon, Jun 21, 2010 at 10:57:06AM -0700, Roman Vasilyev wrote:

> Hi,
> I'm not using any of this functions and as I can see mod_gzip not
> calling this functions too but is uses ngx_list_push.
> here is parts of my code:
>     static ngx_int_t ngx_http_header_add(ngx_http_request_t *r, char
> *key, ngx_str_t value)
> {
>     ngx_table_elt_t *h;
>     if (!key || value.len==0)
>         return -1;
>     h = ngx_list_push(&r->headers_in.headers); <==

You shouldn't attempt to modify r->headers_in, it's not safe 
operation to do.

And r->headers_in are known to sometimes be in an inconsistent 
state - e.g. in subrequests, where they are partially copied from 
parent request, but members needed for manipulations aren't 
correctly initialized (as request headers were already parsed and 
no further manipulations expected).

Further reading:

Maxim Dounin

More information about the nginx mailing list