# HG changeset patch # User Valentin Bartenev # Date 1441052716 -10800 # Node ID 8c6e71722aff56001ff50a82e3b9dc506108b4e3 # Parent 06e850859a262ae55d68e6e4a1985fe64ad31f87 Added protection against r->main->count overflow by subrequests. This overflow has become possible after the change in 06e850859a26, since concurrent subrequests are not limited now and each of them is counted in r->main->count. diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2433,6 +2433,16 @@ ngx_http_subrequest(ngx_http_request_t * return NGX_ERROR; } + /* + * 1000 is reserved for other purposes. + */ + if (r->main->count >= 65535 - 1000) { + ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0, + "request reference counter overflow " + "while processing \"%V\"", uri); + return NGX_ERROR; + } + sr = ngx_pcalloc(r->pool, sizeof(ngx_http_request_t)); if (sr == NULL) { return NGX_ERROR; diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -439,8 +439,8 @@ struct ngx_http_request_s { ngx_http_cleanup_t *cleanup; + unsigned count:16; unsigned subrequests:8; - unsigned count:8; unsigned blocked:8; unsigned aio:1;