Hello! On Thu, Feb 16, 2017 at 03:51:24PM +0800, 洪志道 wrote:
> Hi. > > diff -r da46bfc484ef src/http/ngx_http_variables.c > --- a/src/http/ngx_http_variables.c Mon Feb 13 21:45:01 2017 +0300 > +++ b/src/http/ngx_http_variables.c Wed Feb 08 10:31:53 2017 +0800 > @@ -783,6 +783,10 @@ > ssize_t s, *sp; > ngx_str_t val; > > + if (v->data == NULL) { > + return; > + } > + > val.len = v->len; > val.data = v->data; > > > The following will cause core file, I think it's better to deal with in > nginx. > > server { > listen 8000; > > location / { > content_by_lua_block { > ngx.var.limit_rate = size; # size is undefined. > ngx.say('hello lua'); > } > } This looks like a bug in ngx_parse_size(), it incorrectly assumes that the input string is at least 1 character long. And I believe it can be triggered without Lua too. Please test if the following patch fixes things for you: # HG changeset patch # User Maxim Dounin <mdou...@mdounin.ru> # Date 1487253948 -10800 # Thu Feb 16 17:05:48 2017 +0300 # Node ID 51c8df305d083bc57828f68cd6e709cacdcc41c0 # Parent be00ca08e41a69e585b6aff70a725ed6c9e1a876 Fixed ngx_parse_size() / ngx_parse_offset() with 0-length strings. diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c --- a/src/core/ngx_parse.c +++ b/src/core/ngx_parse.c @@ -17,6 +17,11 @@ ngx_parse_size(ngx_str_t *line) ssize_t size, scale, max; len = line->len; + + if (len == 0) { + return NGX_ERROR; + } + unit = line->data[len - 1]; switch (unit) { @@ -58,6 +63,11 @@ ngx_parse_offset(ngx_str_t *line) size_t len; len = line->len; + + if (len == 0) { + return NGX_ERROR; + } + unit = line->data[len - 1]; switch (unit) { -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel