Opened 10 years ago

Last modified 3 years ago

#600 closed defect

segfault in ngx_http_get_variable() — at Initial Version

Reported by: Xiaochen Wang Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a: Linux *** 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.2
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)

Description

easy to reproduce:

  1. nginx configure:

location / {

set $sent_http_foo "bar";
ssi on;
root html;

}

  1. The content of html/index.html is '<!--#echo var="sent_http_foo" -->'
  2. Requesting uri /index.html will trigger the segfault

coredump backtrace:

(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x0000000000438555 in ngx_http_get_variable (r=0xbe87f0, name=<value optimized out>, key=<value optimized out>) at src/http/ngx_http_variables.c:565
#2 0x000000000044b50f in ngx_http_ssi_echo (r=0xbe87f0, ctx=0xbe9ab8, params=0x7fff6d998cb0) at src/http/modules/ngx_http_ssi_filter_module.c:2262
...
(gdb) frame 1
#1 0x0000000000438555 in ngx_http_get_variable (r=0xbe87f0, name=<value optimized out>,

key=<value optimized out>) at src/http/ngx_http_variables.c:565

565 if (vv && v->get_handler(r, vv, v->data) == NGX_OK) {
(gdb) print vv
$7 = (ngx_http_variable_value_t *) 0xbea000
(gdb) print v->get_handler
$8 = (ngx_http_get_variable_pt) 0 <<< v->get_handler is NULL

Another module ngx.lua (https://github.com/openresty/lua-nginx-module), using ngx_http_get_variable() api, will trigger this segfault too.

See configure as following, requesting uri / will trigger the segfault.

location / {

set $http_foo "bar";
content_by_lua "ngx.say(ngx.var.http_foo)";

}

Change History (0)

Note: See TracTickets for help on using tickets.