Opened 12 years ago
Closed 12 years ago
#141 closed defect (duplicate)
Nginx 1.1.18 Crash (off by one bug) -> Windows
| Reported by: | Benjamin Johnson | Owned by: | somebody |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-core | Version: | 1.1.x |
| Keywords: | Cc: | ||
| uname -a: | windows 7 64-bit | ||
| nginx -V: | 1.1.18 | ||
Description
Windows 7
Repeatable
Many Nginx versions, I reproduced it with Nginx 1.0.X (I believe several versions had this issue including 1.0.14, although I didn't do analysis), and from compiled source 1.1.18.
In src/os/win32/ngx_shmem.c, ngx_alloc does not account for the %Z (terminating \0). I was getting relatively frequent crashes on simple requests.
Index: src/os/win32/ngx_shmem.c
===================================================================
--- src/os/win32/ngx_shmem.c (revision 4568)
+++ src/os/win32/ngx_shmem.c (working copy)
@@ -15,7 +15,7 @@
u_char *name;
uint64_t size;
- name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN), shm->log);
+ name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN) + 1, shm->log);
if (name == NULL) {
return NGX_ERROR;
}
Attachments (1)
Change History (5)
by , 12 years ago
| Attachment: | off_by_one.diff added |
|---|
comment:1 by , 12 years ago
Changed to be more explicit for future developers:
Index: src/os/win32/ngx_shmem.c
===================================================================
--- src/os/win32/ngx_shmem.c (revision 4568)
+++ src/os/win32/ngx_shmem.c (working copy)
@@ -15,7 +15,7 @@
u_char *name;
uint64_t size;
- name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN), shm->log);
+ name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN) + sizeof('\0'), shm->log);
if (name == NULL) {
return NGX_ERROR;
}
follow-up: 3 comment:2 by , 12 years ago
what you found is as same as #134.but your fixing is not very good...
patch