Opened 8 years ago
Last modified 3 years ago
#1238 accepted defect
Core dump when $limit_rate is set both in a map and in a location
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.10.x |
Keywords: | Cc: | ||
uname -a: | Linux localhost.localdomain 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-threads --with-ipv6 --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' |
Description (last modified by )
This is a minimal server configuration used to reproduce the problem (only the map & server section, the rest is the default configuration from nginx.org centos 7 nginx-1.10.3 package).
map $arg_test $limit_rate { default 128k; test 4k; } server { listen 8080; location / { root /var/www; set $limit_rate 4k; } }
If a request to an affected location is made, nginx crashes with the following stack.
Program terminated with signal 7, Bus error. #0 ngx_http_variable_request_set_size (r=0x7fb5c2761650, v=<optimized out>, data=140418628385320) at src/http/ngx_http_variables.c:730 730 *sp = s; (gdb) thread apply all bt Thread 1 (Thread 0x7fb5c1237840 (LWP 2648)): #0 ngx_http_variable_request_set_size (r=0x7fb5c2761650, v=<optimized out>, data=140418628385320) at src/http/ngx_http_variables.c:730 #1 0x00007fb5c12e992d in ngx_http_rewrite_handler (r=0x7fb5c2761650) at src/http/modules/ngx_http_rewrite_module.c:180 #2 0x00007fb5c12a669c in ngx_http_core_rewrite_phase (r=0x7fb5c2761650, ph=<optimized out>) at src/http/ngx_http_core_module.c:901 #3 0x00007fb5c12a1b3d in ngx_http_core_run_phases (r=r@entry=0x7fb5c2761650) at src/http/ngx_http_core_module.c:847 #4 0x00007fb5c12a1c3a in ngx_http_handler (r=r@entry=0x7fb5c2761650) at src/http/ngx_http_core_module.c:830 #5 0x00007fb5c12ad0de in ngx_http_process_request (r=0x7fb5c2761650) at src/http/ngx_http_request.c:1910 #6 0x00007fb5c12ad952 in ngx_http_process_request_line (rev=0x7fb5c27bae10) at src/http/ngx_http_request.c:1022 #7 0x00007fb5c128de60 in ngx_event_process_posted (cycle=cycle@entry=0x7fb5c2745930, posted=0x7fb5c1575290 <ngx_posted_events>) at src/event/ngx_event_posted.c:33 #8 0x00007fb5c128d9d7 in ngx_process_events_and_timers (cycle=cycle@entry=0x7fb5c2745930) at src/event/ngx_event.c:259 #9 0x00007fb5c12944f0 in ngx_worker_process_cycle (cycle=cycle@entry=0x7fb5c2745930, data=data@entry=0x1) at src/os/unix/ngx_process_cycle.c:753 #10 0x00007fb5c1292e66 in ngx_spawn_process (cycle=cycle@entry=0x7fb5c2745930, proc=proc@entry=0x7fb5c1294460 <ngx_worker_process_cycle>, data=data@entry=0x1, name=name@entry=0x7fb5c131c197 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198 #11 0x00007fb5c12946f0 in ngx_start_worker_processes (cycle=cycle@entry=0x7fb5c2745930, n=2, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:358 #12 0x00007fb5c1295283 in ngx_master_process_cycle (cycle=cycle@entry=0x7fb5c2745930) at src/os/unix/ngx_process_cycle.c:130 #13 0x00007fb5c127039d in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:367
Change History (2)
comment:1 by , 8 years ago
Description: | modified (diff) |
---|---|
Status: | new → accepted |
comment:2 by , 3 years ago
For the record:
the $limit_rate set handler has been rewritten in c19ca381b2e6 (1.17.0) such that it no longer causes an invalid address access in conjunction with the map block.
Note:
See TracTickets
for help on using tickets.
Thanks, certainly bad things will happen when trying to use standard variables as a destination variable of
map
. I can reproduce this with nginx 1.11.13 as well. It would be good to properly address this, probably by rejecting such configurations as invalid.