Opened 6 years ago

Last modified 6 years ago

#1786 closed defect

Send file from Perl module — at Initial Version

Reported by: UncleMiF@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.15.x
Keywords: Cc:
uname -a: Linux hk0 4.4.0-145-generic #171-Ubuntu SMP Tue Mar 26 12:43:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.1.1b 26 Feb 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --user=httpd --group=robot --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_stub_status_module --with-file-aio --with-threads --with-http_v2_module --with-http_geoip_module --with-http_image_filter_module --with-http_perl_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-openssl=../openssl-1.1.1b --with-debug

Description

(CentOS 7 container in Ubuntu 16 Server's Host)

stack:

(gdb) bt
#0 ngx_http_perl_output (r=r@entry=0x1e77480, b=b@entry=0x1e521d8) at nginx.xs:76
#1 0x00007f8512e2fc91 in XS_nginx_sendfile (my_perl=0xc7b700, cv=<optimized out>) at nginx.xs:751
#2 0x00007f8515b4541f in Perl_pp_entersub () from /usr/lib64/perl5/CORE/libperl.so
#3 0x00007f8515b3db96 in Perl_runops_standard () from /usr/lib64/perl5/CORE/libperl.so
#4 0x00007f8515ad5168 in Perl_call_sv () from /usr/lib64/perl5/CORE/libperl.so
#5 0x00000000004f34f6 in ngx_http_perl_call_handler (my_perl=my_perl@entry=0xc7b700, r=r@entry=0x1e77480,

nginx=<optimized out>, sub=0xdb9528, args=args@entry=0x0, handler=0x13d4100, rv=rv@entry=0x0)
at src/http/modules/perl/ngx_http_perl_module.c:710

#6 0x00000000004f4c35 in ngx_http_perl_handle_request (r=0x1e77480)

at src/http/modules/perl/ngx_http_perl_module.c:223

#7 0x00000000004f4e38 in ngx_http_perl_handler (r=<optimized out>) at src/http/modules/perl/ngx_http_perl_module.c:174
#8 0x000000000049acaf in ngx_http_core_content_phase (r=0x1e77480, ph=<optimized out>)

at src/http/ngx_http_core_module.c:1169

#9 0x00000000004953c5 in ngx_http_core_run_phases (r=0x1e77480) at src/http/ngx_http_core_module.c:858
#10 0x00000000004d6da8 in ngx_http_v2_run_request (r=0x1e77480) at src/http/v2/ngx_http_v2.c:3789
#11 0x00000000004d6e55 in ngx_http_v2_state_header_complete (h2c=0x1d32a10,

pos=0x185006b "i\213\344\307\362\027\235iǚy\317\347h\226\337=\277J\t\325/\224\212\b\001y@\212\343-
d*bѿ%",
end=0x185006b "i\213\344\307\362\027\235iǚy\317\347h\226\337=\277J\t\325/\224\212\b\001y@\212\343-
d*bѿ%")
at src/http/v2/ngx_http_v2.c:1704

#12 0x00000000004d7fff in ngx_http_v2_state_header_block (h2c=0x1d32a10,

pos=0x185006b "i\213\344\307\362\027\235iǚy\317\347h\226\337=\277J\t\325/\224\212\b\001y@\212\343-
d*bѿ%",
end=0x185006b "i\213\344\307\362\027\235iǚy\317\347h\226\337=\277J\t\325/\224\212\b\001y@\212\343-
d*bѿ%")
at src/http/v2/ngx_http_v2.c:1273

#13 0x00000000004d58a0 in ngx_http_v2_read_handler (rev=0x1794560) at src/http/v2/ngx_http_v2.c:413
#14 0x0000000000487329 in ngx_epoll_process_events (cycle=0xc5dd00, timer=<optimized out>, flags=<optimized out>)

at src/event/modules/ngx_epoll_module.c:902

#15 0x000000000047c3f7 in ngx_process_events_and_timers (cycle=cycle@entry=0xc5dd00) at src/event/ngx_event.c:242
#16 0x0000000000485015 in ngx_worker_process_cycle (cycle=cycle@entry=0xc5dd00, data=data@entry=0x27)

at src/os/unix/ngx_process_cycle.c:750

#17 0x000000000048363c in ngx_spawn_process (cycle=cycle@entry=0xc5dd00,

proc=proc@entry=0x484fd0 <ngx_worker_process_cycle>, data=data@entry=0x27,
name=name@entry=0x6e780e "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:199

#18 0x00000000004847d4 in ngx_start_worker_processes (cycle=cycle@entry=0xc5dd00, n=40, type=type@entry=-3)

at src/os/unix/ngx_process_cycle.c:359

#19 0x0000000000485c5f in ngx_master_process_cycle (cycle=cycle@entry=0xc5dd00) at src/os/unix/ngx_process_cycle.c:131
#20 0x000000000045acd2 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:382

details:

#0 ngx_http_perl_output (r=r@entry=0x1e77480, b=b@entry=0x1e521d8) at nginx.xs:76

out = {buf = 0x0, next = 0x1e77480}
cl = <optimized out>
ctx = 0x0

#1 0x00007f8512e2fc91 in XS_nginx_sendfile (my_perl=0xc7b700, cv=<optimized out>) at nginx.xs:751

bytes = 6519719
clcf = 0x13d42d8
r = 0x1e77480
filename = <optimized out>
offset = 0
path = {len = 124,


reason:

ctx is equal to 0x0 (AKA NULL)

from sources (nginx.xs:76):

ctx = ngx_http_get_module_ctx(r, ngx_http_perl_module); it looks ctx is equal to NULL here (maybe client is disconnected… who knows)

if (ctx->ssi) { there is no ctx check here, so it crached on NULL

cl = ngx_alloc_chain_link(r->pool);
if (cl == NULL) {

return NGX_ERROR;

}

defect:

nginx workers massive crash (perhaps on file range requests)

Change History (0)

Note: See TracTickets for help on using tickets.