Google Git
Sign in
nginx/nginx/baf535b1a3199ada2cb7338e2d4e6ae6805deec3^!/.
commit
baf535b1a3199ada2cb7338e2d4e6ae6805deec3
[log]
author
Valentin Bartenev <vbart@nginx.com>
Mon Aug 31 23:25:16 2015 +0300
committer
Valentin Bartenev <vbart@nginx.com>
Mon Aug 31 23:25:16 2015 +0300
tree
93c7d51542930f997155876086933ca66cb9e575
parent
9b514f1dd1339c29b7bbdc493296fd215a1c405a [diff]
Added protection against r->main->count overflow by subrequests.

This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 2462730..0a5b6b4 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c

@@ -2433,6 +2433,16 @@
         return NGX_ERROR;
     }
 
+    /*
+     * 1000 is reserved for other purposes.
+     */
+    if (r->main->count >= 65535 - 1000) {
+        ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
+                      "request reference counter overflow "
+                      "while processing \"%V\"", uri);
+        return NGX_ERROR;
+    }
+
     sr = ngx_pcalloc(r->pool, sizeof(ngx_http_request_t));
     if (sr == NULL) {
         return NGX_ERROR;

diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
index 3954de3..7e56c39 100644
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h

@@ -439,8 +439,8 @@
 
     ngx_http_cleanup_t               *cleanup;
 
+    unsigned                          count:16;
     unsigned                          subrequests:8;
-    unsigned                          count:8;
     unsigned                          blocked:8;
 
     unsigned                          aio:1;