Possible NULL pointer dereference in nxt_cache_wake_handler()

Max Romanov max.romanov at gmail.com
Sat Jun 11 10:50:11 UTC 2022


Hi Andrew,

Good catch!
This is potential NULL dereference issue and it should to be fixed before nxt_cache.c added to compiled files list :)

—
Best regards,
Max

> On 11 Jun 2022, at 04:44, Andrew Clayton <andrew at digital-domain.net> wrote:
> 
> So in src/nxt_cache.c we have the following function
> 
> static void                                                                     
> nxt_cache_wake_handler(nxt_thread_t *thr, void *obj, void *data)                
> {                                                                               
>    nxt_cache_t             *cache;                                             
>    nxt_work_handler_t      handler;                                            
>    nxt_cache_query_t       *q;                                                 
>    nxt_cache_query_wait_t  *qw;                                                
> 
>    qw = obj;                                                                   
>    q = qw->query;                                                              
>    cache = qw->cache;                                                          
> 
>    nxt_cache_lock(cache);                                                      
> 
>    handler = nxt_cache_node_test(cache, q);                                    
> 
>    if (handler != NULL) {                                                      
>        nxt_cache_query_wait_free(cache, qw);                                   
> 
>    } else {                                                                    
>        /* Wait again. */                                                       
>        qw->next = q->node->waiting;                                            
>        q->node->waiting = qw;                                                  
>    }                                                                           
> 
>    nxt_cache_unlock(cache);                                                    
> 
>    handler(thr, q, NULL);                                                      
> }
> 
> We set handler then check if it's NULL. However even if it is NULL we
> still call it with
> 
>    handler(thr, q, NULL);
> 
> Or am I missing something?
> 
> Andrew
> _______________________________________________
> unit mailing list -- unit at nginx.org
> To unsubscribe send an email to unit-leave at nginx.org



More information about the unit mailing list