Hello, I found an array index out of bounds bug in ngx_inet_add_addr() function. In my case, I want to use ngx_parse_url(cf->pool, u) twice to update my address. Consider this situation, my twice function call argument u: u->url.data is string of ip address, and then, call trace is
ngx_inet_add_addr (src/core/ngx_inet.c#L1274) ngx_parse_inet_url (src/core/ngx_inet.c#L968) ngx_parse_url (src/core/ngx_inet.c#L700) In first ngx_parse_url() call, u->url.data ip address will successfully add to u->addrs array, and u->naddrs will be increased to 1. And then the second call ngx_parse_url(), u->url.data ip address add to u->addrs array, Because of in first call n->naddrs was increased to 1, so this time our update ip address will add to u->addrs[1], but u->addrs array were allocated 1 * sizeof(ngx_addr_t). src/core/ngx_inet.c#L1275 u->addrs = ngx_palloc(pool, total * nports * sizeof(ngx_addr_t)); So the second time I call this function will cause memory error, and it may even make the program crashes. In order to avoid this bug, We need to check index of u->addrs. Could you help me check where there is a problem? Thanks! # HG changeset patch # User Jun Ouyang <[email protected]> # Date 1609070041 -28800 # Sun Dec 27 19:54:01 2020 +0800 # Node ID 978ff553691d3fec538586cfa88e1e2b9858d4b5 # Parent 82228f955153527fba12211f52bf102c90f38dfb Multiple call ngx_parse_url add addr to addrs array cause index out of bounds bug diff -r 82228f955153 -r 978ff553691d src/core/ngx_inet.c --- a/src/core/ngx_inet.c Tue Dec 15 17:41:39 2020 +0300 +++ b/src/core/ngx_inet.c Sun Dec 27 19:54:01 2020 +0800 @@ -1278,6 +1278,10 @@ } } + if (u->naddrs == nports * total) { + u->naddrs = 0; + } + for (i = 0; i < nports; i++) { sa = ngx_pcalloc(pool, socklen); if (sa == NULL) { -- *GPG public key: 4A6D297E6F74638E4D5F8E99152AC7B5F7608B26*
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
