Opened 2 years ago

Last modified 2 years ago

#1263 accepted defect

Segmentation Fault when SSI is used in sub-request

Reported by: peter.magdina.sk@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.11.x
Keywords: Cc:
uname -a: Darwin xxxxxx.local 16.5.0 Darwin Kernel Version 16.5.0: Fri Mar 3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64
nginx -V: nginx version: nginx/1.12.0 built by clang 8.1.0 (clang-802.0.41) built with OpenSSL 1.1.0e 16 Feb 2017 TLS SNI support enabled configure arguments: --with-cc-opt='-O2 -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=spnego-http-auth-nginx-module-master --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-http_v2_module --with-threads --with-http_slice_module --user=nginx --group=nginx --prefix=/opt/nginx --error-log-path=/opt/nginx/log/error.log --http-log-path=/opt/nginx/log/access.log --pid-path=/opt/nginx/run/nginx.pid --lock-path=/opt/nginx/run/nginx --http-client-body-temp-path=/opt/nginx/cache/client --http-proxy-temp-path=/opt/nginx/cache/proxy --http-fastcgi-temp-path=/opt/nginx/cache/fastcgi --http-uwsgi-temp-path=/opt/nginx/cache/uwsgi --http-scgi-temp-path=/opt/nginx/cache/scgi

Description

Hi,

nginx worker process crashes with segfault when SSI is used in a sub-request.

Config example:

    location /loc1.html {
        add_after_body /loc2.html;
    }

    location /loc2.html {
        ssi on;
    }

Seg fault happens only when I access /loc1.html location. When I access /loc2.html directly it works fine.

Error log:

==> ../log/error.log <==
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14566 exited on signal 11
2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14573 exited on signal 11

Just FYI, content of loc1.html:

<p>Hi from location 1 !</p>

content of loc2.html:

<p>Hi from location 2 on <!--#echo var="host" --> !</p>

I tried to debug it and fix it, but due to the time I stopped here:
file ngx_http_ssi_filter_module.c:

static ngx_str_t *
ngx_http_ssi_get_variable(ngx_http_request_t *r, ngx_str_t *name,
    ngx_uint_t key)
{
    ngx_uint_t           i;
    ngx_list_part_t     *part;
    ngx_http_ssi_var_t  *var;
    ngx_http_ssi_ctx_t  *ctx;

    ctx = ngx_http_get_module_ctx(r->main, ngx_http_ssi_filter_module);

    ...

ctx is NULL. SSI context is missing when SSI is called in a subrequest.

And then the subsequent code will cause segfault, because ctx is NULL:

    if (ctx->variables == NULL) {
        return NULL;
    }

I added some additional debug logs to the code around the ctx = ngx_http_get_module_ctx(....) line. And this is the output:

2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main: 00007FE3FC006E50
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main->ctx: 00007FE3FC007770, module.ctx_index: 46
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable ctx: 0000000000000000

Cheers
Peter Magdina

Change History (1)

comment:1 Changed 2 years ago by mdounin

  • Status changed from new to accepted

Thanks for the report, looks like a generic problem in the SSI module. It was written when there were no subrequests except subrequests created by the SSI module itself, and assumes in many places that its context always exists in the main request. This needs to be fixed.

Note: See TracTickets for help on using tickets.