nginx + my module crashes only when ignore client abort = on

Maxim Dounin mdounin at mdounin.ru
Sun Mar 17 23:52:13 UTC 2013


Hello!

On Sun, Mar 17, 2013 at 05:47:24AM -0400, gadh wrote:

Below just couple of comments.  Outlined problems are enough to 
cause arbitrary segmentation faults, and I haven't looked for 
more.

[...]

> 	ngx_memzero(&sr->headers_in, sizeof(sr->headers_in));

Note: this ruins original request headers.  It's enough to cause 
anything.

[...]

> 	// do not inherit rb from parent
> 	sr->request_body = ngx_palloc(r->pool, sizeof(ngx_http_request_body_t));
> 	NGX_aaa_CHECK_ALLOC_AND_RETURN(sr->request_body)
> 
> 	// note: always alloc bufs even if ptr is lid - since its garbage from
> former request ! (caused seg fault in mod_proxy !)
> 	sr->request_body->bufs = ngx_alloc_chain_link(r->pool);
> 	NGX_aaa_CHECK_ALLOC_AND_RETURN(sr->request_body->bufs)
> 
> 	// post body - re-populate , do not inherit from parent
> 	sr->request_body->bufs->buf = buf;
> 	sr->request_body->bufs->next = NULL;
> 	sr->request_body->buf = buf;

Note: you allocate request body structure and only initialize some 
of it's members.  E.g. sr->request_body->temp_file remains 
uninitialized and will likely be dereferenced, resulting in 
segmentation fault.

You have to at least change ngx_palloc() to ngx_pcalloc().

[...]

> BTW, is there any "nginx subrequest coding guide" documentation available ?
> its very confusing and lacks much info on the web, i got it working only
> thru alot of trial-and-error.

Subrequests are dead simple in it's supported form: you just call 
ngx_http_subrequest() in a body filter, and the result is added to 
the output at the appropriate point.  Good sample is available in 
ngx_http_addition_filter_module.c.

What you try to do with subrequests isn't really supported (the 
fact that it works - is actually a side effect of subrequests 
processing rewrite in 0.7.25), hence no guides.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list