id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
162	buffer overflow under a particular rewrite configuration	fan liu	somebody	"nginx conf：
location / {
            rewrite ^(/.*)$ $1?ip=$remote_addr&fetch=baidu? last;
        }

Surely, this config leads to url handling loop. I config in this way just in order to make the coredump appear easier.

The request url is:
/r/www/cache/g%E6%A0%A1%E8%BF%90%E5%8A%A8%E5%9C%BA%E4%B8%8A%E6%95%A3%E6%AD%A5%E3%80%82%E4%BB%96%E4%BB%8E%E6%A5%BC%E4%B8%8A%E8%B5%B0%E4%BA%86%E4%B8%8B%E6%9D%A5%EF%BC%8C%E7%9C%8B%E5%88%B0%E6%88%91%E7%A9%BF%E7%9A%84...www8090kkwww8090kk%E3%80%90%3Cem%3Ewww8090kk%3C/em%3E%E3%80%91_%3Cem%3Ewww8090kk%3C/em%3E%E2%80%BB%E9%AB%98%E6%B8%85%E2%80%BBwww8090kkwww8090kk%20=======...%3Cbr%3E%3Cspan%20class=

As you see, there are many '%', that's what leads to the coredump.


The coredump happens in this way:

When nginx handles rewrite declaration, it first estimates buffer length the destination needs. As to 
this statement, it calls:
ngx_http_script_copy_capture_len_code
ngx_http_script_mark_args_code
ngx_http_script_copy_len_code
...

Then, nginx starts to translate the url, it calls:
ngx_http_script_copy_capture_code
ngx_http_script_copy_code 
...

In function ngx_http_script_mark_args_code, e->is_args is set to 1.   
As a result, when estimate dest buffer in function ngx_http_script_copy_capture_len_code,
ngx_escape_uri is not called, but when translate the url in function ngx_http_script_copy_capture_code, ngx_escape_uri is called.

That's the problem.

ngx_escape_uri makes '%' be THREE characters, while we only allocates ONE byte buffer space. So, coredump.
"	defect	closed	major		nginx-core	1.2.x	fixed	rewrite coredump		Linux liufan 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 i386 GNU/Linux	"nginx version: nginx/1.2.0
built by gcc 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC) 
configure arguments:"