Fixed segfault with incorrect location nesting.

A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created.  Example configuration to reproduce the problem:

    location "" {
        location @foo {}
    }

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.

diff --git a/src/http/modules/ngx_http_rewrite_module.c b/src/http/modules/ngx_http_rewrite_module.c
index f24119645bbf1f96099ecf4e3ac66b8be1994b4e..754512fb1930c64f0a44c91f226e1e439ea65bf2 100644 (file)
--- a/src/http/modules/ngx_http_rewrite_module.c
+++ b/src/http/modules/ngx_http_rewrite_module.c
@@ -612,7 +612,7 @@ ngx_http_rewrite_if(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
     save = *cf;
     cf->ctx = ctx;
 
-    if (pclcf->name.len == 0) {
+    if (cf->cmd_type == NGX_HTTP_SRV_CONF) {
         if_code->loc_conf = NULL;
         cf->cmd_type = NGX_HTTP_SIF_CONF;
 

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 0a5b6b47b74bfec20190ab9af949cd6cb553c629..5cdf9873b5348c9b3e4fabce2487c227ee54ba1f 100644 (file)
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -3196,7 +3196,7 @@ ngx_http_core_location(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy)
 
     pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index];
 
-    if (pclcf->name.len) {
+    if (cf->cmd_type == NGX_HTTP_LOC_CONF) {
 
         /* nested location */