bugfix: tcpsock:connect(): when the nginx resolver's send() immediately fails without yielding, we didn't clean up the coroutine ctx state properly.

root · agentzh · commit 36d6ef406b98 · 2017-08-23T20:58:31.000-07:00
This might lead to segmentation faults.

thanks xiaocang for the discovery.

Signed-off-by: Yichun Zhang (agentzh) &lt;agentzh@gmail.com&gt;
diff --git a/.travis.yml b/.travis.yml
@@ -90,6 +90,7 @@ before_script:
   - mysql -uroot -e 'create database ngx_test; grant all on ngx_test.* to "ngx_test"@"%" identified by "ngx_test"; flush privileges;'
 
 script:
+  - sudo iptables -I OUTPUT 1 -p udp --dport 10086 -j REJECT
   - cd luajit2/
   - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT -msse4.2' > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c
@@ -743,6 +743,9 @@ ngx_http_lua_socket_tcp_connect(lua_State *L)
 
         u->ft_type |= NGX_HTTP_LUA_SOCKET_FT_RESOLVER;
 
+        coctx->cleanup = NULL;
+        coctx->data = NULL;
+
         u->resolved->ctx = NULL;
         lua_pushnil(L);
         lua_pushfstring(L, "%s could not be resolved", host.data);
diff --git a/t/058-tcp-socket.t b/t/058-tcp-socket.t
@@ -4,7 +4,7 @@ use Test::Nginx::Socket::Lua;
 
 repeat_each(2);
 
-plan tests => repeat_each() * 190;
+plan tests => repeat_each() * 193;
 
 our $HtmlDir = html_dir;
 
@@ -3690,3 +3690,40 @@ received: OK
 close: 1 nil
 --- no_error_log
 [error]
+
+
+
+=== TEST 61: resolver send query failing immediately in connect()
+this case did not clear coctx->cleanup properly and would lead to memory invalid accesses.
+
+this test case requires the following iptables rule to work properly:
+
+sudo iptables -I OUTPUT 1 -p udp --dport 10086 -j REJECT
+
+--- config
+    location /t {
+        resolver 127.0.0.1:10086 ipv6=off;
+        resolver_timeout 10ms;
+
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+
+            for i = 1, 3 do -- retry
+                local ok, err = sock:connect("www.google.com", 80)
+                if not ok then
+                    ngx.say("failed to connect: ", err)
+                end
+            end
+
+            ngx.say("hello!")
+        }
+    }
+--- request
+GET /t
+--- response_body
+failed to connect: www.google.com could not be resolved
+failed to connect: www.google.com could not be resolved
+failed to connect: www.google.com could not be resolved
+hello!
+--- error_log eval
+qr{\[alert\] .*? send\(\) failed \(\d+: Operation not permitted\) while resolving}
