Mercurial > hg > nginx
comparison src/http/ngx_http_core_module.c @ 6244:055d1f63960a
Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created. Example configuration to reproduce the problem:
location "" {
location @foo {}
}
Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.
Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.
Reported by Markus Linnala.
Found with afl-fuzz.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 11 Sep 2015 17:04:04 +0300 |
| parents | 8c6e71722aff |
| children | 257b51c37c5a |
comparison
equal
deleted
inserted
replaced
| 6243:4821fc788c12 | 6244:055d1f63960a |
|---|---|
| 3194 } | 3194 } |
| 3195 } | 3195 } |
| 3196 | 3196 |
| 3197 pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index]; | 3197 pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index]; |
| 3198 | 3198 |
| 3199 if (pclcf->name.len) { | 3199 if (cf->cmd_type == NGX_HTTP_LOC_CONF) { |
| 3200 | 3200 |
| 3201 /* nested location */ | 3201 /* nested location */ |
| 3202 | 3202 |
| 3203 #if 0 | 3203 #if 0 |
| 3204 clcf->prev_location = pclcf; | 3204 clcf->prev_location = pclcf; |