SEGFAULT when testing syntax

[www.google.com/accounts/o8/id?id=AItOawn4-PLPDRvUy9amcGwVzi74Lox5Uiyk928]

nginx is segfaulting in src/core/ngx_string.c:253 when running syntax check (-t).
It seems to be related to module stub_status

Here is gdb session :

(gdb) break src/core/ngx_string.c:251
Breakpoint 1 at 0x40b6a8: file src/core/ngx_string.c, line 251.
(gdb) run -t
Starting program: /usr/sbin/nginx -t
[...]

Breakpoint 1, ngx_vslprintf (buf=0x685b1e "", last=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>,

fmt=0x4633d1 "s, %02d %s %4d %02d:%02d:%02d GMT", args=0x7fffffffe370) at src/core/ngx_string.c:252

[...]
(gdb) info args
buf = 0x685b1e ""
last = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
fmt = 0x4633d1 "s, %02d %s %4d %02d:%02d:%02d GMT"
args = 0x7fffffffe370

(gdb) continue
[... 5 breakpoints at the same point, continue anyway]

Breakpoint 1, ngx_vslprintf (buf=0x7fffffffd64f "", last=0x7fffffffddf0 "(", fmt=0x46b74c "s:%ui", args=0x7fffffffddf0)

at src/core/ngx_string.c:252

252 in src/core/ngx_string.c
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
ngx_vslprintf (buf=0x7fffffffd64f "", last=0x7fffffffddf0 "(", fmt=0x46b74c "s:%ui", args=0x7fffffffddf0) at src/core/ngx_string.c:253
253 in src/core/ngx_string.c

(gdb) info args
buf = 0x7fffffffd64f ""
last = 0x7fffffffddf0 "("
fmt = 0x46b74c "s:%ui"
args = 0x7fffffffddf0

---

Nginx config file content

---

http {

ssl on;
server {

listen 80;
stub_status on;

}

}

[Maxim Dounin]

Thank you for report. It's the problem in ssl module, attached patch fixes it.

[Maxim Dounin]

In [4235/nginx]:

Fixed segfault on configuration testing with ssl (ticket #37).

The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:

http {

ssl on;
server {
}

}

[is]

In [4246/nginx]:

Merging r4034, r4186, r4187, r4229, r4235, r4237:

SSL related fixes:

*) Better handling of various per-server ssl options with SNI.

SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).

As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.

Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.

Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.

*) Disabling SSL compression. This saves about 300K per SSL connection.

The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.

*) Releasing memory of idle SSL connection. This saves about 34K per SSL

connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.

*) Decrease of log level of some SSL handshake errors.

*) Fixed segfault on configuration testing with ssl (ticket #37).

The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:

http {

ssl on;
server {
}

}

*) Silently ignoring a stale global SSL error left after disabled renegotiation.

[Maxim Dounin]

Fix committed (and merged into stable), thanks.