Mercurial > hg > nginx
comparison src/http/modules/ngx_http_rewrite_module.c @ 6244:055d1f63960a
Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created. Example configuration to reproduce the problem:
location "" {
location @foo {}
}
Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.
Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.
Reported by Markus Linnala.
Found with afl-fuzz.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 11 Sep 2015 17:04:04 +0300 |
| parents | 16a371063d20 |
| children | cf5e822cf470 |
comparison
equal
deleted
inserted
replaced
| 6243:4821fc788c12 | 6244:055d1f63960a |
|---|---|
| 610 | 610 |
| 611 | 611 |
| 612 save = *cf; | 612 save = *cf; |
| 613 cf->ctx = ctx; | 613 cf->ctx = ctx; |
| 614 | 614 |
| 615 if (pclcf->name.len == 0) { | 615 if (cf->cmd_type == NGX_HTTP_SRV_CONF) { |
| 616 if_code->loc_conf = NULL; | 616 if_code->loc_conf = NULL; |
| 617 cf->cmd_type = NGX_HTTP_SIF_CONF; | 617 cf->cmd_type = NGX_HTTP_SIF_CONF; |
| 618 | 618 |
| 619 } else { | 619 } else { |
| 620 if_code->loc_conf = ctx->loc_conf; | 620 if_code->loc_conf = ctx->loc_conf; |