From: Maxim Dounin Date: Fri, 11 Sep 2015 14:04:04 +0000 (+0300) Subject: Fixed segfault with incorrect location nesting. X-Git-Tag: release-1.9.5~8 X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=7930a6c44279315140955fac230cf5305fc3c550;p=nginx.git Fixed segfault with incorrect location nesting. A configuration with a named location inside a zero-length prefix or regex location used to trigger a segmentation fault, as ngx_http_core_location() failed to properly detect if a nested location was created. Example configuration to reproduce the problem: location "" { location @foo {} } Fix is to not rely on a parent location name length, but rather check command type we are currently parsing. Identical fix is also applied to ngx_http_rewrite_if(), which used to incorrectly assume the "if" directive is on server{} level in such locations. Reported by Markus Linnala. Found with afl-fuzz. --- diff --git a/src/http/modules/ngx_http_rewrite_module.c b/src/http/modules/ngx_http_rewrite_module.c index f24119645..754512fb1 100644 --- a/src/http/modules/ngx_http_rewrite_module.c +++ b/src/http/modules/ngx_http_rewrite_module.c @@ -612,7 +612,7 @@ ngx_http_rewrite_if(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) save = *cf; cf->ctx = ctx; - if (pclcf->name.len == 0) { + if (cf->cmd_type == NGX_HTTP_SRV_CONF) { if_code->loc_conf = NULL; cf->cmd_type = NGX_HTTP_SIF_CONF; diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c index 0a5b6b47b..5cdf9873b 100644 --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -3196,7 +3196,7 @@ ngx_http_core_location(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index]; - if (pclcf->name.len) { + if (cf->cmd_type == NGX_HTTP_LOC_CONF) { /* nested location */