Forum List Message List New Topic Print View

Maksim Yevmenkin

August 31, 2020 02:10PM

Hello,

a colleague of mine sent me this

==

There is a problem in ngx_palloc_small() if it is called with arg
'align' set true when the small buffer is almost exhausted such that
there are less bytes available in that buffer than the change in
alignment consumes

In that case, 'm' (the alignment adjusted start of the remainder of
the buffer) may move beyond the 'end' marker, meaning that p->d.end -
m becomes -ve.

Unfortunately, that subtraction is cast to a size_t (unsigned) and so
its comparison to '>= size' is very likely true, meaning that the
p->d.last is advanced beyond p->d.end and so memory already utilised
is returned. iI that happens to trample over bytes used for say the
p->large->next...->next chain, then a BUS error is likely

It seems that this can be addressed by :

@@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
ngx_uint_t align)
m = ngx_align_ptr(m, NGX_ALIGNMENT);
}

- if ((size_t) (p->d.end - m) >= size) {
+ if (p->d.end >= (size + m)) {
p->d.last = m + size;

return m;
==

can someone please share thoughts, comments, etc?

thanks,
max
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
possible problem with ngx_palloc_small()	Maksim Yevmenkin	353	August 31, 2020 02:10PM
Re: possible problem with ngx_palloc_small()	Maxim Dounin	199	September 01, 2020 09:20AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 281

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018

possible problem with ngx_palloc_small()

Re: possible problem with ngx_palloc_small()

Online Users