Opened 6 years ago

Closed 6 years ago

#1618 closed defect (fixed)

Potential infinity cycle in ngx_http_upstream_send_request_body()

Reported by: SvyatoslavRazmyslov@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: Cc: razmyslov@…
uname -a:
nginx -V: Mercurial default branch.

Description

I have found a bug using PVS-Studio static analyzer for C/C++/C#.

V1021 The 'cl' variable is assigned the same value on several loop iterations. ngx_http_upstream.c 2138

if (r->request_body->bufs) {
  for (cl = out; cl->next; cl = out->next) { /* void */ } // <= bug
  cl->next = r->request_body->bufs;
  r->request_body->bufs = NULL;
}

Corrected code:

for (cl = out; cl->next; cl = cl->next) { /* void */ }

Change History (4)

comment:1 by vl, 6 years ago

Status: newaccepted

Thanks for reporting.
Looks like currently chain link is a single item in this place, so nothing bad happens
in vanilla nginx.

comment:2 by vl, 6 years ago

Priority: criticalminor

comment:3 by Vladimir Homutov <vl@…>, 6 years ago

In 7341:15ea84e65d07/nginx:

Upstream: fixed request chain traversal (ticket #1618).

The problem does not manifest itself currently, because in case of
non-buffered reading, chain link created by u->create_request method
consists of a single element.

Found by PVS-Studio.

comment:4 by vl, 6 years ago

Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.