details: http://hg.nginx.org/nginx/rev/055d1f63960a
branches:
changeset: 6244:055d1f63960a
user: Maxim Dounin <mdounin@mdounin.ru>
date: Fri Sep 11 17:04:04 2015 +0300
description:
Fixed segfault with incorrect location nesting.

A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created. Example configuration to reproduce the problem:

location "" {
location @foo {}
}

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.

diffstat:

src/http/modules/ngx_http_rewrite_module.c | 2 +-
src/http/ngx_http_core_module.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diffs (24 lines):

diff --git a/src/http/modules/ngx_http_rewrite_module.c b/src/http/modules/ngx_http_rewrite_module.c
--- a/src/http/modules/ngx_http_rewrite_module.c
+++ b/src/http/modules/ngx_http_rewrite_module.c
@@ -612,7 +612,7 @@ ngx_http_rewrite_if(ngx_conf_t *cf, ngx_
save = *cf;
cf->ctx = ctx;

- if (pclcf->name.len == 0) {
+ if (cf->cmd_type == NGX_HTTP_SRV_CONF) {
if_code->loc_conf = NULL;
cf->cmd_type = NGX_HTTP_SIF_CONF;

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3196,7 +3196,7 @@ ngx_http_core_location(ngx_conf_t *cf, n

pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index];

- if (pclcf->name.len) {
+ if (cf->cmd_type == NGX_HTTP_LOC_CONF) {

/* nested location */


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel