mirror of
https://github.com/nginx/nginx.git
synced 2024-12-11 17:59:00 +08:00
Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix or regex location used to trigger a segmentation fault, as ngx_http_core_location() failed to properly detect if a nested location was created. Example configuration to reproduce the problem: location "" { location @foo {} } Fix is to not rely on a parent location name length, but rather check command type we are currently parsing. Identical fix is also applied to ngx_http_rewrite_if(), which used to incorrectly assume the "if" directive is on server{} level in such locations. Reported by Markus Linnala. Found with afl-fuzz.
This commit is contained in:
parent
ce05841eef
commit
7930a6c442
@ -612,7 +612,7 @@ ngx_http_rewrite_if(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
save = *cf;
|
||||
cf->ctx = ctx;
|
||||
|
||||
if (pclcf->name.len == 0) {
|
||||
if (cf->cmd_type == NGX_HTTP_SRV_CONF) {
|
||||
if_code->loc_conf = NULL;
|
||||
cf->cmd_type = NGX_HTTP_SIF_CONF;
|
||||
|
||||
|
@ -3196,7 +3196,7 @@ ngx_http_core_location(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy)
|
||||
|
||||
pclcf = pctx->loc_conf[ngx_http_core_module.ctx_index];
|
||||
|
||||
if (pclcf->name.len) {
|
||||
if (cf->cmd_type == NGX_HTTP_LOC_CONF) {
|
||||
|
||||
/* nested location */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user