Hello!

On Mon, Aug 31, 2020 at 11:08:13AM -0700, Maksim Yevmenkin wrote:

> Hello,
>
> a colleague of mine sent me this
>
> ==
>
> There is a problem in ngx_palloc_small() if it is called with arg
> 'align' set true when the small buffer is almost exhausted such that
> there are less bytes available in that buffer than the change in
> alignment consumes
>
> In that case, 'm' (the alignment adjusted start of the remainder of
> the buffer) may move beyond the 'end' marker, meaning that p->d.end -
> m becomes -ve.
>
> Unfortunately, that subtraction is cast to a size_t (unsigned) and so
> its comparison to '>= size' is very likely true, meaning that the
> p->d.last is advanced beyond p->d.end and so memory already utilised
> is returned. iI that happens to trample over bytes used for say the
> p->large->next...->next chain, then a BUS error is likely
>
> It seems that this can be addressed by :
>
> @@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size,
> ngx_uint_t align)
> m = ngx_align_ptr(m, NGX_ALIGNMENT);
> }
>
> - if ((size_t) (p->d.end - m) >= size) {
> + if (p->d.end >= (size + m)) {
> p->d.last = m + size;
>
> return m;
> ==
>
> can someone please share thoughts, comments, etc?

https://trac.nginx.org/nginx/ticket/686

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel