#1263 closed defect (fixed)
Segmentation Fault when SSI is used in sub-request
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-module | Version: | 1.11.x |
Keywords: | Cc: | ||
uname -a: | Darwin xxxxxx.local 16.5.0 Darwin Kernel Version 16.5.0: Fri Mar 3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64 x86_64 | ||
nginx -V: |
nginx version: nginx/1.12.0
built by clang 8.1.0 (clang-802.0.41) built with OpenSSL 1.1.0e 16 Feb 2017 TLS SNI support enabled configure arguments: --with-cc-opt='-O2 -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=spnego-http-auth-nginx-module-master --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-http_v2_module --with-threads --with-http_slice_module --user=nginx --group=nginx --prefix=/opt/nginx --error-log-path=/opt/nginx/log/error.log --http-log-path=/opt/nginx/log/access.log --pid-path=/opt/nginx/run/nginx.pid --lock-path=/opt/nginx/run/nginx --http-client-body-temp-path=/opt/nginx/cache/client --http-proxy-temp-path=/opt/nginx/cache/proxy --http-fastcgi-temp-path=/opt/nginx/cache/fastcgi --http-uwsgi-temp-path=/opt/nginx/cache/uwsgi --http-scgi-temp-path=/opt/nginx/cache/scgi |
Description
Hi,
nginx worker process crashes with segfault when SSI is used in a sub-request.
Config example:
location /loc1.html { add_after_body /loc2.html; } location /loc2.html { ssi on; }
Seg fault happens only when I access /loc1.html location. When I access /loc2.html directly it works fine.
Error log:
==> ../log/error.log <== 2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14566 exited on signal 11 2017/05/03 18:47:10 [alert] 14548#23345880: worker process 14573 exited on signal 11
Just FYI, content of loc1.html:
<p>Hi from location 1 !</p>
content of loc2.html:
<p>Hi from location 2 on <!--#echo var="host" --> !</p>
I tried to debug it and fix it, but due to the time I stopped here:
file ngx_http_ssi_filter_module.c:
static ngx_str_t * ngx_http_ssi_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key) { ngx_uint_t i; ngx_list_part_t *part; ngx_http_ssi_var_t *var; ngx_http_ssi_ctx_t *ctx; ctx = ngx_http_get_module_ctx(r->main, ngx_http_ssi_filter_module); ...
ctx is NULL. SSI context is missing when SSI is called in a subrequest.
And then the subsequent code will cause segfault, because ctx is NULL:
if (ctx->variables == NULL) { return NULL; }
I added some additional debug logs to the code around the ctx = ngx_http_get_module_ctx(....) line. And this is the output:
2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main: 00007FE3FC006E50 2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable r->main->ctx: 00007FE3FC007770, module.ctx_index: 46 2017/05/03 18:47:10 [debug] 16787#8822579: *3 ssi ngx_http_ssi_get_variable ctx: 0000000000000000
Cheers
Peter Magdina
Change History (4)
comment:1 by , 8 years ago
Status: | new → accepted |
---|
comment:4 by , 2 years ago
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Fix committed, thanks to all involved.
Thanks for the report, looks like a generic problem in the SSI module. It was written when there were no subrequests except subrequests created by the SSI module itself, and assumes in many places that its context always exists in the main request. This needs to be fixed.