Hello!

I've noticed that the code re-factoring in the resolver in nginx 1.7.5
introduces a new regression that can cause memory invalid reads when
--with-debug is used to build the nginx. The issue still exists in
nginx 1.7.6.

The following standalone and minimal example can trigger this:

location = /main {
return 200 "foo";
addition_types text/plain;
add_after_body /sub;
}

location = /sub {
resolver 8.8.8.8;
set $myurl "http://not-exist.agentzh.org";
proxy_pass $myurl;
}

Accessing /main with valgrind yields the following error:

==16903== Invalid read of size 4
==16903== at 0x41FDE6: ngx_event_del_timer (ngx_event_timer.h:38)
==16903== by 0x420A86: ngx_resolve_name_done (ngx_resolver.c:415)
==16903== by 0x46B90A: ngx_http_upstream_finalize_request
(ngx_http_upstream.c:3586)
==16903== by 0x466090: ngx_http_upstream_resolve_handler
(ngx_http_upstream.c:941)
==16903== by 0x422D0B: ngx_resolver_process_a (ngx_resolver.c:1580)
==16903== by 0x422715: ngx_resolver_process_response
(ngx_resolver.c:1369)
==16903== by 0x42221A: ngx_resolver_read_response (ngx_resolver.c:1239)
==16903== by 0x438C9A: ngx_epoll_process_events (ngx_epoll_module.c:685)
==16903== by 0x4296CC: ngx_process_events_and_timers (ngx_event.c:248)
==16903== by 0x4356CB: ngx_single_process_cycle (ngx_process_cycle.c:319)
==16903== by 0x403700: main (nginx.c:404)
==16903== Address 0x4e7e448 is 24 bytes inside a block of size 128 free'd
==16903== at 0x4A07577: free (vg_replace_malloc.c:468)
==16903== by 0x424CF8: ngx_resolver_free_locked (ngx_resolver.c:2888)
==16903== by 0x424C42: ngx_resolver_free_node (ngx_resolver.c:2838)
==16903== by 0x422CD6: ngx_resolver_process_a (ngx_resolver.c:1571)
==16903== by 0x422715: ngx_resolver_process_response
(ngx_resolver.c:1369)
==16903== by 0x42221A: ngx_resolver_read_response (ngx_resolver.c:1239)
==16903== by 0x438C9A: ngx_epoll_process_events (ngx_epoll_module.c:685)
==16903== by 0x4296CC: ngx_process_events_and_timers (ngx_event.c:248)
==16903== by 0x4356CB: ngx_single_process_cycle (ngx_process_cycle.c:319)
==16903== by 0x403700: main (nginx.c:404)
==16903==

The offending line is ngx_event_timer.h:38:

ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
"event timer del: %d: %M",
ngx_event_ident(ev->data), ev->timer.key);

while ev->data here is the resolver node that has already been freed
up earlier in ngx_resolver_free_node.

nginx -V output:

$ /opt/nginx/sbin/nginx -V
nginx version: nginx/1.7.5
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-7) (GCC)
configure arguments: --with-cc-opt=-O0 --prefix=/opt/nginx
--with-debug --with-http_addition_module

Regards,
-agentzh

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel