id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 162,buffer overflow under a particular rewrite configuration,fan liu,somebody,"nginx conf: location / { rewrite ^(/.*)$ $1?ip=$remote_addr&fetch=baidu? last; } Surely, this config leads to url handling loop. I config in this way just in order to make the coredump appear easier. The request url is: /r/www/cache/g%E6%A0%A1%E8%BF%90%E5%8A%A8%E5%9C%BA%E4%B8%8A%E6%95%A3%E6%AD%A5%E3%80%82%E4%BB%96%E4%BB%8E%E6%A5%BC%E4%B8%8A%E8%B5%B0%E4%BA%86%E4%B8%8B%E6%9D%A5%EF%BC%8C%E7%9C%8B%E5%88%B0%E6%88%91%E7%A9%BF%E7%9A%84...www8090kkwww8090kk%E3%80%90%3Cem%3Ewww8090kk%3C/em%3E%E3%80%91_%3Cem%3Ewww8090kk%3C/em%3E%E2%80%BB%E9%AB%98%E6%B8%85%E2%80%BBwww8090kkwww8090kk%20=======...%3Cbr%3E%3Cspan%20class= As you see, there are many '%', that's what leads to the coredump. The coredump happens in this way: When nginx handles rewrite declaration, it first estimates buffer length the destination needs. As to this statement, it calls: ngx_http_script_copy_capture_len_code ngx_http_script_mark_args_code ngx_http_script_copy_len_code ... Then, nginx starts to translate the url, it calls: ngx_http_script_copy_capture_code ngx_http_script_copy_code ... In function ngx_http_script_mark_args_code, e->is_args is set to 1. As a result, when estimate dest buffer in function ngx_http_script_copy_capture_len_code, ngx_escape_uri is not called, but when translate the url in function ngx_http_script_copy_capture_code, ngx_escape_uri is called. That's the problem. ngx_escape_uri makes '%' be THREE characters, while we only allocates ONE byte buffer space. So, coredump. ",defect,closed,major,,nginx-core,1.2.x,fixed,rewrite coredump,,Linux liufan 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 i386 GNU/Linux,"nginx version: nginx/1.2.0 built by gcc 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC) configure arguments:"