Opened 13 years ago
Closed 13 years ago
#152 closed defect (fixed)
segfault when try_files if used
Reported by: | Eugene Pimenov | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.1.x |
Keywords: | try_files | Cc: | |
uname -a: | Darwin Eugene-Pimenovs-MacBook-Pro.local 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64 i386 MacBookPro8,2 Darwin | ||
nginx -V: |
nginx version: nginx/1.1.19
built by gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00) configure arguments: --with-pcre=../../nginx/pcre/pcre-8.30 |
Description
nginx 1.1.19 introduce a segfault when try_files is used.
Config:
server { listen 8080; server_name localhost; try_files /system/maintenance.html $uri/index.html $uri.html $uri @app; location @app { return 502; } }
url: http://localhost:8080/sync_sessions/f908072de388e9bdfcde95f24e12b47e72cae888%2029
backtrace:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_c.dylib 0x00007fff8fc45ce2 memmove$VARIANT$sse42 + 37 1 nginx 0x000000010ff104ce ngx_http_core_try_files_phase + 574 (ngx_http_core_module.c:1262) 2 nginx 0x000000010ff0e499 ngx_http_handler + 281 (ngx_http_core_module.c:877) 3 nginx 0x000000010ff149ed ngx_http_process_request + 157 (ngx_http_request.c:1857) 4 nginx 0x000000010ff132c4 ngx_http_process_request_line + 1044 (ngx_http_request.c:725) 5 nginx 0x000000010ff07846 ngx_kqueue_process_events + 406 (ngx_kqueue_module.c:684) 6 nginx 0x000000010feffe49 ngx_process_events_and_timers + 185 (ngx_event.c:248) 7 nginx 0x000000010ff06239 ngx_worker_process_cycle + 249 (ngx_process_cycle.c:806) 8 nginx 0x000000010ff0478f ngx_spawn_process + 767 (ngx_process.c:205) 9 nginx 0x000000010ff060a7 ngx_start_worker_processes + 151 (ngx_process_cycle.c:365) 10 nginx 0x000000010ff0508a ngx_master_process_cycle + 346 (ngx_process_cycle.c:137) 11 nginx 0x000000010feeb173 main + 2547 (nginx.c:410) 12 nginx 0x000000010fee9c64 start + 52
It tries to copy memory into an unallocated buffer. When it checks for length it sets prealloc to 0, and then it skips allocating a buffer all together.
Can reproduce on debian squeeze (they pushed 1.1.19 to backports, sigh) and Mac OS X 10.7.3
Change History (3)
comment:1 by , 13 years ago
comment:3 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
In [4601/nginx]:
(The changeset message doesn't reference this ticket)