Opened 5 years ago

Closed 5 years ago

#1679 closed defect (invalid)

Possible infinite loop in function ngx_cache_manager_process_cycle and ngx_cache_loader_process_handler in src/os/unix/ngx_process_cycle.c

Reported by: 92siuyang@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: Cc:
uname -a:
nginx -V: None

Description

Hi,

There are two possible infinite loop vulnerabilities in function ngx_cache_manager_process_cycle and ngx_cache_loader_process_handler in src/os/unix/ngx_process_cycle.c. And, I am not so sure about the issue.

We take function ngx_cache_loader_process_handler as an example.

1206 static void
1207 ngx_cache_loader_process_handler(ngx_event_t *ev)
1208 {
1209     ngx_uint_t     i;
1210     ngx_path_t   **path;
1211     ngx_cycle_t   *cycle;
1212 
1213     cycle = (ngx_cycle_t *) ngx_cycle;
1214 
1215     path = cycle->paths.elts;
1216     for (i = 0; i < cycle->paths.nelts; i++) {
1217 
1218         if (ngx_terminate || ngx_quit) {
1219             break;
1220         }
1221 
1222         if (path[i]->loader) {
1223             path[i]->loader(path[i]->data);
1224             ngx_time_update();
1225         }
1226     }
1227 
1228     exit(0);
1229 }

The "ngx_quit" may be reset in function ngx_worker_process_cycle. So, make sure to test ngx_exiting as well.

This issue is very similar to an issue that was fixed in https://trac.nginx.org/nginx/browser/nginx/src/os/win32/ngx_process_cycle.c?rev=b74f1106f920fe9e447c710e57a5ccdeae46d8e3.
The similar issue is https://trac.nginx.org/nginx/ticket/514.

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

The ngx_worker_process_cycle() function is not used in cache loader and cache manager processes, and cannot reset ngx_quit. The issue in #514 is win32-specific and happens due to the fact that cache loader and cache manager are threads on win32, not real processes.

Note: See TracTickets for help on using tickets.