Mercurial > hg > nginx
view src/http/ngx_http_busy_lock.c @ 5386:2d947c2e3ea1
Core: fix misallocation at ngx_crypt_apr1 (ticket #412).
Found by using auth_basic.t from mdounin nginx-tests under valgrind.
==10470== Invalid write of size 1
==10470== at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470== by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470== by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470== by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470== by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470== by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470== by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470== by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470== by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470== by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470== by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470== by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470== Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470== by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470== by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470== by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470== by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470== by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470== by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470== by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470== by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470== by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470== by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470== by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
author | Markus Linnala <Markus.Linnala@cybercom.com> |
---|---|
date | Fri, 20 Sep 2013 17:57:21 +0300 |
parents | 14411ee4d89f |
children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_http.h> static int ngx_http_busy_lock_look_cacheable(ngx_http_busy_lock_t *bl, ngx_http_busy_lock_ctx_t *bc, int lock); int ngx_http_busy_lock(ngx_http_busy_lock_t *bl, ngx_http_busy_lock_ctx_t *bc) { if (bl->busy < bl->max_busy) { bl->busy++; if (bc->time) { bc->time = 0; bl->waiting--; } return NGX_OK; } if (bc->time) { if (bc->time < bl->timeout) { ngx_add_timer(bc->event, 1000); return NGX_AGAIN; } bl->waiting--; return NGX_DONE; } if (bl->timeout == 0) { return NGX_DONE; } if (bl->waiting < bl->max_waiting) { bl->waiting++; #if 0 ngx_add_timer(bc->event, 1000); bc->event->event_handler = bc->event_handler; #endif /* TODO: ngx_handle_level_read_event() */ return NGX_AGAIN; } return NGX_ERROR; } int ngx_http_busy_lock_cacheable(ngx_http_busy_lock_t *bl, ngx_http_busy_lock_ctx_t *bc, int lock) { int rc; rc = ngx_http_busy_lock_look_cacheable(bl, bc, lock); ngx_log_debug3(NGX_LOG_DEBUG_HTTP, bc->event->log, 0, "http busylock: %d w:%d mw::%d", rc, bl->waiting, bl->max_waiting); if (rc == NGX_OK) { /* no the same request, there's free slot */ return NGX_OK; } if (rc == NGX_ERROR && !lock) { /* no the same request, no free slot */ return NGX_OK; } /* rc == NGX_AGAIN: the same request */ if (bc->time) { if (bc->time < bl->timeout) { ngx_add_timer(bc->event, 1000); return NGX_AGAIN; } bl->waiting--; return NGX_DONE; } if (bl->timeout == 0) { return NGX_DONE; } if (bl->waiting < bl->max_waiting) { #if 0 bl->waiting++; ngx_add_timer(bc->event, 1000); bc->event->event_handler = bc->event_handler; #endif /* TODO: ngx_handle_level_read_event() */ return NGX_AGAIN; } return NGX_ERROR; } void ngx_http_busy_unlock(ngx_http_busy_lock_t *bl, ngx_http_busy_lock_ctx_t *bc) { if (bl == NULL) { return; } if (bl->md5) { bl->md5_mask[bc->slot / 8] &= ~(1 << (bc->slot & 7)); bl->cacheable--; } bl->busy--; } static int ngx_http_busy_lock_look_cacheable(ngx_http_busy_lock_t *bl, ngx_http_busy_lock_ctx_t *bc, int lock) { int i, b, cacheable, free; u_int mask; b = 0; cacheable = 0; free = -1; #if (NGX_SUPPRESS_WARN) mask = 0; #endif for (i = 0; i < bl->max_busy; i++) { if ((b & 7) == 0) { mask = bl->md5_mask[i / 8]; } if (mask & 1) { if (ngx_memcmp(&bl->md5[i * 16], bc->md5, 16) == 0) { return NGX_AGAIN; } cacheable++; } else if (free == -1) { free = i; } #if 1 if (cacheable == bl->cacheable) { if (free == -1 && cacheable < bl->max_busy) { free = i + 1; } break; } #endif mask >>= 1; b++; } if (free == -1) { return NGX_ERROR; } if (lock) { if (bl->busy == bl->max_busy) { return NGX_ERROR; } ngx_memcpy(&bl->md5[free * 16], bc->md5, 16); bl->md5_mask[free / 8] |= 1 << (free & 7); bc->slot = free; bl->cacheable++; bl->busy++; } return NGX_OK; } char *ngx_http_set_busy_lock_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { char *p = conf; ngx_uint_t i, dup, invalid; ngx_str_t *value, line; ngx_http_busy_lock_t *bl, **blp; blp = (ngx_http_busy_lock_t **) (p + cmd->offset); if (*blp) { return "is duplicate"; } /* ngx_calloc_shared() */ bl = ngx_pcalloc(cf->pool, sizeof(ngx_http_busy_lock_t)); if (bl == NULL) { return NGX_CONF_ERROR; } *blp = bl; /* ngx_calloc_shared() */ bl->mutex = ngx_pcalloc(cf->pool, sizeof(ngx_event_mutex_t)); if (bl->mutex == NULL) { return NGX_CONF_ERROR; } dup = 0; invalid = 0; value = cf->args->elts; for (i = 1; i < cf->args->nelts; i++) { if (value[i].data[1] != '=') { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid value \"%s\"", value[i].data); return NGX_CONF_ERROR; } switch (value[i].data[0]) { case 'b': if (bl->max_busy) { dup = 1; break; } bl->max_busy = ngx_atoi(value[i].data + 2, value[i].len - 2); if (bl->max_busy == NGX_ERROR) { invalid = 1; break; } continue; case 'w': if (bl->max_waiting) { dup = 1; break; } bl->max_waiting = ngx_atoi(value[i].data + 2, value[i].len - 2); if (bl->max_waiting == NGX_ERROR) { invalid = 1; break; } continue; case 't': if (bl->timeout) { dup = 1; break; } line.len = value[i].len - 2; line.data = value[i].data + 2; bl->timeout = ngx_parse_time(&line, 1); if (bl->timeout == (time_t) NGX_ERROR) { invalid = 1; break; } continue; default: invalid = 1; } if (dup) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "duplicate value \"%s\"", value[i].data); return NGX_CONF_ERROR; } if (invalid) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid value \"%s\"", value[i].data); return NGX_CONF_ERROR; } } if (bl->timeout == 0 && bl->max_waiting) { ngx_conf_log_error(NGX_LOG_WARN, cf, 0, "busy lock waiting is useless with zero timeout, ignoring"); } return NGX_CONF_OK; }