Skip to content
This repository has been archived by the owner on May 29, 2023. It is now read-only.

improve potential memory access overflow risk for #104 #123

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

improve potential memory access overflow risk for #104 #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ if test -n "$ngx_module_link"; then
ngx_module_deps="$HTTP_DYUPS_DEPS"
. auto/module
else
if $HTTP_AUX_FILTER_MODULES | grep "ngx_http_lua_module" > /dev/null; then
if test -n "$(echo $HTTP_AUX_FILTER_MODULES | grep ngx_http_lua_module)" > /dev/null; then
dyups_lua
fi
HTTP_MODULES="$HTTP_MODULES ngx_http_dyups_module"
Expand Down
76 changes: 60 additions & 16 deletions ngx_http_dyups_module.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ typedef struct {

typedef struct {
ngx_uint_t ref;
ngx_http_dyups_srv_conf_t *duscf;
ngx_http_upstream_init_peer_pt init;
} ngx_http_dyups_upstream_srv_conf_t;

Expand Down Expand Up @@ -1355,11 +1356,10 @@ ngx_dyups_parse_upstream(ngx_conf_t *cf, ngx_buf_t *buf)
char *rc;
ngx_buf_t b;
ngx_str_t s;
ngx_uint_t i;
ngx_hash_t vh, vh_prev;
ngx_array_t va, va_prev;
ngx_conf_file_t conf_file;
ngx_http_variable_t *v;
ngx_http_variable_t *v, *v_head, *v_tail;
ngx_hash_keys_arrays_t vk;
ngx_http_core_main_conf_t *cmcf;

Expand Down Expand Up @@ -1387,30 +1387,32 @@ ngx_dyups_parse_upstream(ngx_conf_t *cf, ngx_buf_t *buf)

cmcf->variables = va;
cmcf->variables_hash = vh;
cmcf->variables_keys = &vk;

v = va_prev.elts;
for (i = 0; i < va_prev.nelts; i++) {
v_head = va_prev.elts;
v_tail = v_head + va_prev.nelts;

if (v[i].get_handler) {
continue;
for (v = v_tail - 1; v >= v_head; v--) {

if (v->get_handler) {
break;
}

s.len = v[i].name.len;
s.data = ngx_pstrdup(ngx_cycle->pool, &v[i].name);
s.len = v->name.len;
s.data = ngx_pstrdup(ngx_cycle->pool, &v->name);
if (!s.data) {
rc = NGX_CONF_ERROR;
break;
}

/*
* variable name will be assign to cmcf->variables[idx].name directly
* so the lifetime of v[i].name should be the same as cmcf
* so the lifetime of v->name should be the same as cmcf
*/
v[i].name = s;
v->name = s;

cmcf->variables.elts = &v[i];
cmcf->variables.elts = v;
cmcf->variables.nelts = 1;
cmcf->variables_keys = &vk;
if (ngx_http_variables_init_vars(cf) != NGX_OK) {
rc = NGX_CONF_ERROR;
break;
Expand Down Expand Up @@ -1523,7 +1525,6 @@ ngx_dyups_find_upstream(ngx_str_t *name, ngx_int_t *idx)
" %ui", duscf->idx);

duscf->deleted = NGX_DYUPS_DELETED;

if (duscf->pool) {
ngx_destroy_pool(duscf->pool);
duscf->pool = NULL;
Expand Down Expand Up @@ -1565,9 +1566,11 @@ ngx_dyups_init_upstream(ngx_http_dyups_srv_conf_t *duscf, ngx_str_t *name,
{
ngx_uint_t mi, m;
ngx_conf_t cf;
ngx_array_t *arr;
ngx_module_t **modules;
ngx_http_module_t *module;
ngx_http_conf_ctx_t *ctx;
ngx_http_core_main_conf_t *cmcf, *cmcf_dyups;
ngx_http_upstream_srv_conf_t *uscf, **uscfp;
ngx_http_upstream_main_conf_t *umcf;
ngx_http_dyups_upstream_srv_conf_t *dscf;
Expand Down Expand Up @@ -1625,9 +1628,29 @@ ngx_dyups_init_upstream(ngx_http_dyups_srv_conf_t *duscf, ngx_str_t *name,
return NGX_ERROR;
}

ctx->main_conf = ((ngx_http_conf_ctx_t *)
ngx_cycle->conf_ctx[ngx_http_module.index])->main_conf;

ctx->main_conf = ngx_pcalloc(cf.pool, sizeof(void *) * ngx_http_max_module);
if (ctx->main_conf == NULL) {
return NGX_ERROR;
}
ngx_memcpy(ctx->main_conf, ((ngx_http_conf_ctx_t *)cf.ctx)->main_conf,
sizeof(void *) * ngx_http_max_module);

if ((cmcf_dyups = ngx_pcalloc(cf.pool, sizeof(*cmcf_dyups))) == NULL) {
return NGX_ERROR;
}

cmcf = ctx->main_conf[ngx_http_core_module.ctx_index];
ngx_memcpy(cmcf_dyups, cmcf, sizeof(*cmcf_dyups));

arr = &cmcf_dyups->variables;
arr->pool = cf.pool;
arr->nalloc = arr->nelts;
if ((arr->elts = ngx_pcalloc(cf.pool, arr->nelts * arr->size)) == NULL) {
return NGX_ERROR;
}
ngx_memcpy(arr->elts, cmcf->variables.elts, arr->nelts * arr->size);

ctx->main_conf[ngx_http_core_module.ctx_index] = cmcf_dyups;
ctx->srv_conf = ngx_pcalloc(cf.pool, sizeof(void *) * ngx_http_max_module);
if (ctx->srv_conf == NULL) {
return NGX_ERROR;
Expand Down Expand Up @@ -1663,6 +1686,7 @@ ngx_dyups_init_upstream(ngx_http_dyups_srv_conf_t *duscf, ngx_str_t *name,
}

dscf = uscf->srv_conf[ngx_http_dyups_module.ctx_index];
dscf->duscf = duscf;
duscf->ref = &dscf->ref;
duscf->ctx = ctx;
duscf->deleted = 0;
Expand Down Expand Up @@ -1737,6 +1761,9 @@ ngx_http_dyups_send_response(ngx_http_request_t *r, ngx_int_t status,
out.next = NULL;

ngx_http_finalize_request(r, ngx_http_output_filter(r, &out));

ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[dyups] interface read send response: %V", content);
}


Expand Down Expand Up @@ -1898,9 +1925,26 @@ ngx_http_dyups_init_peer(ngx_http_request_t *r,
ngx_int_t rc;
ngx_pool_cleanup_t *cln;
ngx_http_dyups_ctx_t *ctx;
ngx_http_variable_value_t *vars;
ngx_http_core_main_conf_t *cmcf, *cmcf_dyups;
ngx_http_dyups_upstream_srv_conf_t *dscf;

dscf = us->srv_conf[ngx_http_dyups_module.ctx_index];

cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
cmcf_dyups = dscf->duscf->ctx->main_conf[ngx_http_core_module.ctx_index];

if (cmcf->variables.nelts < cmcf_dyups->variables.nelts) {
vars = ngx_pcalloc(r->pool, cmcf_dyups->variables.nelts
* sizeof(ngx_http_variable_value_t));
if (vars == NULL) {
return NGX_ERROR;
}
ngx_memcpy(vars, r->variables, cmcf->variables.nelts
* sizeof(ngx_http_variable_value_t));
r->variables = vars;
r->main_conf = dscf->duscf->ctx->main_conf;
}

rc = dscf->init(r, us);

Expand Down
Loading