Mercurial > hg > nginx
annotate src/os/unix/ngx_setproctitle.c @ 9112:d59277dd3d8c
QUIC: fixed post-close use-after-free.
Previously, ngx_quic_close_connection() could be called in a way that QUIC
connection was accessed after the call. In most cases the connection is not
closed right away, but close timeout is scheduled. However, it's not always
the case. Also, if the close process started earlier for a different reason,
calling ngx_quic_close_connection() may actually close the connection. The
connection object should not be accessed after that.
Now, when possible, return statement is added to eliminate post-close connection
object access. In other places ngx_quic_close_connection() is substituted with
posting close event.
Also, the new way of closing connection in ngx_quic_stream_cleanup_handler()
fixes another problem in this function. Previously it passed stream connection
instead of QUIC connection to ngx_quic_close_connection(). This could result
in incomplete connection shutdown. One consequence of that could be that QUIC
streams were freed without shutting down their application contexts. This could
result in another use-after-free.
Found by Coverity (CID 1530402).
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Mon, 22 May 2023 15:59:42 +0400 |
parents | 67653855682e |
children |
rev | line source |
---|---|
452 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
452 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 | |
11 | |
12 #if (NGX_SETPROCTITLE_USES_ENV) | |
13 | |
14 /* | |
15 * To change the process title in Linux and Solaris we have to set argv[1] | |
16 * to NULL and to copy the title to the same place where the argv[0] points to. | |
17 * However, argv[0] may be too small to hold a new title. Fortunately, Linux | |
18 * and Solaris store argv[] and environ[] one after another. So we should | |
19 * ensure that is the continuous memory and then we allocate the new memory | |
20 * for environ[] and copy it. After this we could use the memory starting | |
21 * from argv[0] for our process title. | |
22 * | |
23 * The Solaris's standard /bin/ps does not show the changed process title. | |
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
24 * You have to use "/usr/ucb/ps -w" instead. Besides, the UCB ps does not |
452 | 25 * show a new title if its length less than the origin command line length. |
26 * To avoid it we append to a new title the origin command line in the | |
27 * parenthesis. | |
28 */ | |
29 | |
30 extern char **environ; | |
31 | |
32 static char *ngx_os_argv_last; | |
33 | |
493 | 34 ngx_int_t |
35 ngx_init_setproctitle(ngx_log_t *log) | |
452 | 36 { |
493 | 37 u_char *p; |
452 | 38 size_t size; |
39 ngx_uint_t i; | |
40 | |
41 size = 0; | |
42 | |
43 for (i = 0; environ[i]; i++) { | |
44 size += ngx_strlen(environ[i]) + 1; | |
45 } | |
46 | |
501 | 47 p = ngx_alloc(size, log); |
48 if (p == NULL) { | |
452 | 49 return NGX_ERROR; |
50 } | |
51 | |
52 ngx_os_argv_last = ngx_os_argv[0]; | |
53 | |
54 for (i = 0; ngx_os_argv[i]; i++) { | |
55 if (ngx_os_argv_last == ngx_os_argv[i]) { | |
56 ngx_os_argv_last = ngx_os_argv[i] + ngx_strlen(ngx_os_argv[i]) + 1; | |
57 } | |
58 } | |
59 | |
60 for (i = 0; environ[i]; i++) { | |
61 if (ngx_os_argv_last == environ[i]) { | |
62 | |
63 size = ngx_strlen(environ[i]) + 1; | |
64 ngx_os_argv_last = environ[i] + size; | |
65 | |
493 | 66 ngx_cpystrn(p, (u_char *) environ[i], size); |
67 environ[i] = (char *) p; | |
452 | 68 p += size; |
69 } | |
70 } | |
71 | |
72 ngx_os_argv_last--; | |
73 | |
74 return NGX_OK; | |
75 } | |
76 | |
77 | |
493 | 78 void |
79 ngx_setproctitle(char *title) | |
452 | 80 { |
81 u_char *p; | |
82 | |
455 | 83 #if (NGX_SOLARIS) |
452 | 84 |
85 ngx_int_t i; | |
86 size_t size; | |
87 | |
88 #endif | |
89 | |
90 ngx_os_argv[1] = NULL; | |
91 | |
507 | 92 p = ngx_cpystrn((u_char *) ngx_os_argv[0], (u_char *) "nginx: ", |
452 | 93 ngx_os_argv_last - ngx_os_argv[0]); |
94 | |
95 p = ngx_cpystrn(p, (u_char *) title, ngx_os_argv_last - (char *) p); | |
96 | |
455 | 97 #if (NGX_SOLARIS) |
452 | 98 |
99 size = 0; | |
100 | |
101 for (i = 0; i < ngx_argc; i++) { | |
102 size += ngx_strlen(ngx_argv[i]) + 1; | |
103 } | |
104 | |
105 if (size > (size_t) ((char *) p - ngx_os_argv[0])) { | |
106 | |
107 /* | |
108 * ngx_setproctitle() is too rare operation so we use | |
109 * the non-optimized copies | |
110 */ | |
111 | |
112 p = ngx_cpystrn(p, (u_char *) " (", ngx_os_argv_last - (char *) p); | |
113 | |
114 for (i = 0; i < ngx_argc; i++) { | |
115 p = ngx_cpystrn(p, (u_char *) ngx_argv[i], | |
116 ngx_os_argv_last - (char *) p); | |
117 p = ngx_cpystrn(p, (u_char *) " ", ngx_os_argv_last - (char *) p); | |
118 } | |
119 | |
120 if (*(p - 1) == ' ') { | |
121 *(p - 1) = ')'; | |
122 } | |
123 } | |
124 | |
125 #endif | |
126 | |
127 if (ngx_os_argv_last - (char *) p) { | |
128 ngx_memset(p, NGX_SETPROCTITLE_PAD, ngx_os_argv_last - (char *) p); | |
129 } | |
130 | |
131 ngx_log_debug1(NGX_LOG_DEBUG_CORE, ngx_cycle->log, 0, | |
132 "setproctitle: \"%s\"", ngx_os_argv[0]); | |
133 } | |
134 | |
509 | 135 #endif /* NGX_SETPROCTITLE_USES_ENV */ |