Hi,

I ran into a segfault while debugging one of my modules due to a bug
in the ngx_http_upstream_create function. Here's the quick patch

diff -udTr nginx-0.8.36/src/http/ngx_http_upstream.c
nginx-0.8.36-patched/src/http/ngx_http_upstream.c
--- nginx-0.8.36/src/http/ngx_http_upstream.c 2010-01-30
00:45:14.000000000 +0800
+++ nginx-0.8.36-patched/src/http/ngx_http_upstream.c 2010-05-01
11:40:40.252227964 +0800
@@ -365,8 +365,6 @@
if (u && u->cleanup) {
r->main->count++;
ngx_http_upstream_cleanup(r);
- *u->cleanup = NULL;
- u->cleanup = NULL;
}

u = ngx_pcalloc(r->pool, sizeof(ngx_http_upstream_t));

That is, ngx_http_upstream_cleanup will also clear both *u->cleanup
and u->cleanup, so doing *u->cleanup = NULL again after the call will
cause segfault (writing to a NULL pointer). This issue exists in nginx
0.8.36 and as old as at 0.8.29 :)

Cheers,
-agentzh

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel