details: http://hg.nginx.org/nginx/rev/8c6e71722aff
branches:
changeset: 6238:8c6e71722aff
user: Valentin Bartenev <vbart@nginx.com>
date: Mon Aug 31 23:25:16 2015 +0300
description:
Added protection against r->main->count overflow by subrequests.

This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.

diffstat:

src/http/ngx_http_core_module.c | 10 ++++++++++
src/http/ngx_http_request.h | 2 +-
2 files changed, 11 insertions(+), 1 deletions(-)

diffs (33 lines):

diff -r 06e850859a26 -r 8c6e71722aff src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Sun Aug 23 21:03:32 2015 +0300
+++ b/src/http/ngx_http_core_module.c Mon Aug 31 23:25:16 2015 +0300
@@ -2433,6 +2433,16 @@ ngx_http_subrequest(ngx_http_request_t *
return NGX_ERROR;
}

+ /*
+ * 1000 is reserved for other purposes.
+ */
+ if (r->main->count >= 65535 - 1000) {
+ ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
+ "request reference counter overflow "
+ "while processing \"%V\"", uri);
+ return NGX_ERROR;
+ }
+
sr = ngx_pcalloc(r->pool, sizeof(ngx_http_request_t));
if (sr == NULL) {
return NGX_ERROR;
diff -r 06e850859a26 -r 8c6e71722aff src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h Sun Aug 23 21:03:32 2015 +0300
+++ b/src/http/ngx_http_request.h Mon Aug 31 23:25:16 2015 +0300
@@ -439,8 +439,8 @@ struct ngx_http_request_s {

ngx_http_cleanup_t *cleanup;

+ unsigned count:16;
unsigned subrequests:8;
- unsigned count:8;
unsigned blocked:8;

unsigned aio:1;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel