Welcome! Log In Create A New Profile

Advanced

possible problem with ngx_palloc_small()

Maksim Yevmenkin
August 31, 2020 02:10PM
Hello,

a colleague of mine sent me this

==

There is a problem in ngx_palloc_small() if it is called with arg
'align' set true when the small buffer is almost exhausted such that
there are less bytes available in that buffer than the change in
alignment consumes

In that case, 'm' (the alignment adjusted start of the remainder of
the buffer) may move beyond the 'end' marker, meaning that p->d.end -
m becomes -ve.

Unfortunately, that subtraction is cast to a size_t (unsigned) and so
its comparison to '>= size' is very likely true, meaning that the
p->d.last is advanced beyond p->d.end and so memory already utilised
is returned. iI that happens to trample over bytes used for say the
p->large->next...->next chain, then a BUS error is likely

It seems that this can be addressed by :

@@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
ngx_uint_t align)
m = ngx_align_ptr(m, NGX_ALIGNMENT);
}

- if ((size_t) (p->d.end - m) >= size) {
+ if (p->d.end >= (size + m)) {
p->d.last = m + size;

return m;
==

can someone please share thoughts, comments, etc?

thanks,
max
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

possible problem with ngx_palloc_small()

Maksim Yevmenkin 93 August 31, 2020 02:10PM

Re: possible problem with ngx_palloc_small()

Maxim Dounin 27 September 01, 2020 09:20AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 63
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready