From 4ec67cf86fe3ae09692969b175978b57f8b180ad Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Mon, 31 Aug 2015 23:25:16 +0300 Subject: [PATCH] Added protection against r->main->count overflow by subrequests. This overflow has become possible after the change in 06e850859a26, since concurrent subrequests are not limited now and each of them is counted in r->main->count. --- src/http/ngx_http_core_module.c | 10 ++++++++++ src/http/ngx_http_request.h | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c index 24627308e..0a5b6b47b 100644 --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2433,6 +2433,16 @@ ngx_http_subrequest(ngx_http_request_t *r, return NGX_ERROR; } + /* + * 1000 is reserved for other purposes. + */ + if (r->main->count >= 65535 - 1000) { + ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0, + "request reference counter overflow " + "while processing \"%V\"", uri); + return NGX_ERROR; + } + sr = ngx_pcalloc(r->pool, sizeof(ngx_http_request_t)); if (sr == NULL) { return NGX_ERROR; diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h index 3954de3f1..7e56c399d 100644 --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -439,8 +439,8 @@ struct ngx_http_request_s { ngx_http_cleanup_t *cleanup; + unsigned count:16; unsigned subrequests:8; - unsigned count:8; unsigned blocked:8; unsigned aio:1;