The potential bug incurred by "one_addr".

Maxim Dounin mdounin at mdounin.ru
Thu Dec 16 16:26:42 MSK 2010


Hello!

On Thu, Dec 16, 2010 at 03:36:15AM -0500, speedfirst wrote:

> In ngx_inet.c, there is a code piece of function
> "ngx_inet_resolve_host". If I set u->one_addr to 1, but unfortunately
> this hostname map to multiple IP addresses, such as 
> [code]
> 10.37.4.92 myhost
> 127.0.0.1 myhost
> [/code]
> in /etc/hosts.
> 
> h->h_addr_list will be 2 entries before NULL. Each of them will be
> converted to human readable format and assigned to u->addrs[ i ].
> However, when one_addr is set, [b]u->addrs will be allocated ONLY ONE
> ngx_addr_t mem.[/b] In this way, a mem crash is inevitable.

Thank you for your report.  This bug had appeared in 0.5.0 (where 
u->one_addr flag was introduced) and affects auth_http in mail 
module (the only place currently use it in nginx).

Attached patch fixes it.

Maxim Dounin
-------------- next part --------------
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1292505861 -10800
# Node ID e68041df72b078e52a68a9743d5c8ce1617e9695
# Parent  b4fd734aa6be654a9555c8b9ae5e108b233cfe37
Fix u->one_addr handling in ngx_inet_resolve_host().

See report here:

http://nginx.org/pipermail/nginx/2010-December/024229.html

diff --git a/src/core/ngx_inet.c b/src/core/ngx_inet.c
--- a/src/core/ngx_inet.c
+++ b/src/core/ngx_inet.c
@@ -943,7 +943,7 @@ ngx_inet_resolve_host(ngx_pool_t *pool, 
 
         u->naddrs = i;
 
-        for (i = 0; h->h_addr_list[i] != NULL; i++) {
+        for (i = 0; i < u->naddrs; i++) {
 
             sin = ngx_pcalloc(pool, sizeof(struct sockaddr_in));
             if (sin == NULL) {


More information about the nginx mailing list