Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#480 closed defect (invalid)

Unsigned Integers Mishandled

Reported by: Scott Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.5.x
Keywords: Cc:
uname -a: Darwin <node name> 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
nginx -V: nginx version: nginx/1.5.8
built by clang 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
configure arguments: --add-module=<path> --without-http_rewrite_module --with-debug --prefix=<path>


There is an error in ngx_string.c::ngx_vslprintf(). At the minimum it behaves incorrectly, at the worst it causes a segfault. It can be triggered by calling ngx_conf_log_error().

ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "%u hi", 20)
Expected output:
nginx: [emerg] 20 hi in <path here>
Actual output:
nginx: [emerg] hi in <path here>

ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "%u %s", 20, "hi");
Expected output:
nginx: [emerg] 20 hi in <path here>
Actual output:
<segfault at nginx_str.c, line 254>

I believe it's related to there not being a case for 'u' at the switch statement that spans lines 230-446. One for 'u' would probably be similar to the 'd' case.

Change History (3)

comment:1 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

The %u format is invalid for ngx_conf_log_error(). Please note that formats nginx understand aren't compatible with printf()'s ones. Supported formats are documented in src/core/ngx_string.c.

comment:2 by Scott, 7 years ago

Ah ok, thanks. I didn't see that. I must ask though: even if I give it an invalid format string, it should not segfault, right?

comment:3 by Maxim Dounin, 7 years ago

If you write incorrect code, including incorrect format string, anything can happen.

Note: See TracTickets for help on using tickets.