Opened 13 years ago

Closed 13 years ago

#37 closed defect (fixed)

SEGFAULT when testing syntax

Reported by: www.google.com/accounts/o8/id?id=AItOawn4-PLPDRvUy9amcGwVzi74Lox5Uiyk928 Owned by: Maxim Dounin
Priority: minor Milestone:
Component: nginx-module Version: 1.1.x
Keywords: stub_status Cc:
uname -a: Linux ***.com 2.6.36 #4 SMP Mon Feb 21 17:48:32 CET 2011 x86_64 Intel(R) Xeon(R) CPU L5630 @ 2.13GHz GenuineIntel GNU/Linux
nginx -V: nginx: nginx version: nginx/1.1.6
nginx: built by gcc 4.4.0 (GCC)
nginx: TLS SNI support enabled
nginx: configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nobody --group=nobody --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --add-module=syslog --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/tmp --http-proxy-temp-path=/tmp --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module

Description

nginx is segfaulting in src/core/ngx_string.c:253 when running syntax check (-t).
It seems to be related to module stub_status

Here is gdb session :

(gdb) break src/core/ngx_string.c:251
Breakpoint 1 at 0x40b6a8: file src/core/ngx_string.c, line 251.
(gdb) run -t
Starting program: /usr/sbin/nginx -t
[...]

Breakpoint 1, ngx_vslprintf (buf=0x685b1e "", last=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>,

fmt=0x4633d1 "s, %02d %s %4d %02d:%02d:%02d GMT", args=0x7fffffffe370) at src/core/ngx_string.c:252

[...]
(gdb) info args
buf = 0x685b1e ""
last = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
fmt = 0x4633d1 "s, %02d %s %4d %02d:%02d:%02d GMT"
args = 0x7fffffffe370

(gdb) continue
[... 5 breakpoints at the same point, continue anyway]

Breakpoint 1, ngx_vslprintf (buf=0x7fffffffd64f "", last=0x7fffffffddf0 "(", fmt=0x46b74c "s:%ui", args=0x7fffffffddf0)

at src/core/ngx_string.c:252

252 in src/core/ngx_string.c
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
ngx_vslprintf (buf=0x7fffffffd64f "", last=0x7fffffffddf0 "(", fmt=0x46b74c "s:%ui", args=0x7fffffffddf0) at src/core/ngx_string.c:253
253 in src/core/ngx_string.c

(gdb) info args
buf = 0x7fffffffd64f ""
last = 0x7fffffffddf0 "("
fmt = 0x46b74c "s:%ui"
args = 0x7fffffffddf0


Nginx config file content


http {

ssl on;
server {

listen 80;
stub_status on;

}

}

Attachments (1)

patch-nginx-ssl-config.txt (1.1 KB ) - added by Maxim Dounin 13 years ago.

Download all attachments as: .zip

Change History (5)

by Maxim Dounin, 13 years ago

Attachment: patch-nginx-ssl-config.txt added

comment:1 by Maxim Dounin, 13 years ago

Owner: changed from somebody to Maxim Dounin
Status: newassigned

Thank you for report. It's the problem in ssl module, attached patch fixes it.

comment:2 by Maxim Dounin, 13 years ago

In [4235/nginx]:

Fixed segfault on configuration testing with ssl (ticket #37).

The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:

http {

ssl on;
server {
}

}

comment:3 by is, 13 years ago

In [4246/nginx]:

Merging r4034, r4186, r4187, r4229, r4235, r4237:

SSL related fixes:

*) Better handling of various per-server ssl options with SNI.

SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).


As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.


Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.


Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.

*) Disabling SSL compression. This saves about 300K per SSL connection.

The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.

*) Releasing memory of idle SSL connection. This saves about 34K per SSL

connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.

*) Decrease of log level of some SSL handshake errors.

*) Fixed segfault on configuration testing with ssl (ticket #37).

The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:


http {

ssl on;
server {
}

}

*) Silently ignoring a stale global SSL error left after disabled renegotiation.

comment:4 by Maxim Dounin, 13 years ago

Resolution: fixed
Status: assignedclosed

Fix committed (and merged into stable), thanks.

Note: See TracTickets for help on using tickets.