Added protection against r->main->count overflow by subrequests.

This overflow has become possible after the change in 06e850859a26, since concurrent subrequests are not limited now and each of them is counted in r->main->count.
author: Valentin Bartenev <vbart@nginx.com> 2015-08-31 23:25:16 +0300
committer: Valentin Bartenev <vbart@nginx.com> 2015-08-31 23:25:16 +0300
commit: 4ec67cf86fe3ae09692969b175978b57f8b180ad (patch)
tree: 93c7d51542930f997155876086933ca66cb9e575 /src/http/ngx_http_core_module.c
parent: 0d3b15729ce1340098f098a1e3342f13183fdde2 (diff)
download: nginx-4ec67cf86fe3ae09692969b175978b57f8b180ad.tar.gz
nginx-4ec67cf86fe3ae09692969b175978b57f8b180ad.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 24627308e..0a5b6b47b 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -2433,6 +2433,16 @@ ngx_http_subrequest(ngx_http_request_t *r,
         return NGX_ERROR;
     }
 
+    /*
+     * 1000 is reserved for other purposes.
+     */
+    if (r->main->count >= 65535 - 1000) {
+        ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
+                      "request reference counter overflow "
+                      "while processing \"%V\"", uri);
+        return NGX_ERROR;
+    }
+
     sr = ngx_pcalloc(r->pool, sizeof(ngx_http_request_t));
     if (sr == NULL) {
         return NGX_ERROR;
author	Valentin Bartenev <vbart@nginx.com>	2015-08-31 23:25:16 +0300
committer	Valentin Bartenev <vbart@nginx.com>	2015-08-31 23:25:16 +0300
commit	4ec67cf86fe3ae09692969b175978b57f8b180ad (patch)
tree	93c7d51542930f997155876086933ca66cb9e575 /src/http/ngx_http_core_module.c
parent	0d3b15729ce1340098f098a1e3342f13183fdde2 (diff)
download	nginx-4ec67cf86fe3ae09692969b175978b57f8b180ad.tar.gz nginx-4ec67cf86fe3ae09692969b175978b57f8b180ad.zip