Opened 3 years ago

Closed 3 years ago

#1378 closed defect (invalid)

fix a bug that in the function ngx_http_subrequest, it will make the headers_in.headers incorrect,and it will cause many problems

Reported by: fishgege@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.13.x
Keywords: subrequest Cc:
uname -a: Linux Not-Used-KS6-zyVSt5ae4a 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

Description

sr->headers_in = r->headers_in;
This line of code copy the headers ,but it maybe make the struct mistake that sr->headers_in.headers.last mismatch &sr->headers_in.headers.part, when only one part be copied, the mismatch happen. if somewhere use sr->headers_in.headers.last ,it will cause assert or some other problems。fx:in the function ngx_http_headers_more_assert
so only when there is only one part, the mismatch happen , and I update for this.

src/http/ngx_http_core_module.c

@@ -2274,6 +2274,9 @@ ngx_http_subrequest(ngx_http_request_t *r,

sr->pool = r->pool;


sr->headers_in = r->headers_in;

+ if (sr->headers_in.headers.part.next == NULL) {
+ sr->headers_in.headers.last = &sr->headers_in.headers.part;
+ }


ngx_http_clear_content_length(sr);
ngx_http_clear_accept_ranges(sr);

Attachments (2)

0001-fix-a-bug-that-in-the-function-ngx_http_subrequest-i.patch (1.5 KB ) - added by fishgege@… 3 years ago.
0001-Update-ngx_http_core_module.c.patch (921 bytes ) - added by fishgege@… 3 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 by fishgege@…, 3 years ago

src/http/ngx_http_core_module.c
@@ -2274,6 +2274,9 @@ ngx_http_subrequest(ngx_http_request_t *r,
sr->pool = r->pool;

sr->headers_in = r->headers_in;
+ if (sr->headers_in.headers.part.next == NULL) {
+ sr->headers_in.headers.last = &sr->headers_in.headers.part;
+ }

ngx_http_clear_content_length(sr);
ngx_http_clear_accept_ranges(sr);

Version 0, edited 3 years ago by fishgege@… (next)

by fishgege@…, 3 years ago

comment:2 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

The ngx_http_subrequest() function provides good enough copy of r->headers_in to read the header list using defined procedures. Trying to do anything beyond that would be a bug in the code which does it. In particular, trying to modify r->header_in (where r->headers_in->last is used) would be a bug in the module which does it, as no code is expected to modify r->headers_in, with the only exception of nginx http core where reading of the http headers happens.

Note: See TracTickets for help on using tickets.