Mercurial > hg > nginx

changeset 6244:055d1f63960a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed segfault with incorrect location nesting. A configuration with a named location inside a zero-length prefix or regex location used to trigger a segmentation fault, as ngx_http_core_location() failed to properly detect if a nested location was created. Example configuration to reproduce the problem: location "" { location @foo {} } Fix is to not rely on a parent location name length, but rather check command type we are currently parsing. Identical fix is also applied to ngx_http_rewrite_if(), which used to incorrectly assume the "if" directive is on server{} level in such locations. Reported by Markus Linnala. Found with afl-fuzz.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 11 Sep 2015 17:04:04 +0300
parents 4821fc788c12
children 3cf25d33886a
files src/http/modules/ngx_http_rewrite_module.c src/http/ngx_http_core_module.c
diffstat 2 files changed, 2 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/modules/ngx_http_rewrite_module.c
+++ b/src/http/modules/ngx_http_rewrite_module.c
@@ -612,7 +612,7 @@ ngx_http_rewrite_if(ngx_conf_t *cf, ngx_
     save = *cf;
     cf->ctx = ctx;
 
-    if (pclcf->name.len == 0) {
+    if (cf->cmd_type == NGX_HTTP_SRV_CONF) {
         if_code->loc_conf = NULL;
         cf->cmd_type = NGX_HTTP_SIF_CONF;
 
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3196,7 +3196,7 @@ ngx_http_core_location(ngx_conf_t *cf, n
 
     pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index];
 
-    if (pclcf->name.len) {
+    if (cf->cmd_type == NGX_HTTP_LOC_CONF) {
 
         /* nested location */