#480 closed defect (invalid)
Unsigned Integers Mishandled
| Reported by: | Scott | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.5.x |
| Keywords: | Cc: | ||
| uname -a: | Darwin <node name> 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64 | ||
| nginx -V: |
nginx version: nginx/1.5.8
built by clang 5.0 (clang-500.2.79) (based on LLVM 3.3svn) configure arguments: --add-module=<path> --without-http_rewrite_module --with-debug --prefix=<path> |
||
Description
There is an error in ngx_string.c::ngx_vslprintf(). At the minimum it behaves incorrectly, at the worst it causes a segfault. It can be triggered by calling ngx_conf_log_error().
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "%u hi", 20)
Expected output:
nginx: [emerg] 20 hi in <path here>
Actual output:
nginx: [emerg] hi in <path here>
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "%u %s", 20, "hi");
Expected output:
nginx: [emerg] 20 hi in <path here>
Actual output:
<segfault at nginx_str.c, line 254>
I believe it's related to there not being a case for 'u' at the switch statement that spans lines 230-446. One for 'u' would probably be similar to the 'd' case.
Change History (3)
comment:1 by , 10 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 10 years ago
Ah ok, thanks. I didn't see that. I must ask though: even if I give it an invalid format string, it should not segfault, right?
comment:3 by , 10 years ago
If you write incorrect code, including incorrect format string, anything can happen.
The %u format is invalid for ngx_conf_log_error(). Please note that formats nginx understand aren't compatible with printf()'s ones. Supported formats are documented in src/core/ngx_string.c.