Nginx 1.0.5 in windows heap corruption

Server NGINX
1

Hi,
When I use Nginx 1.0.5 in WINDOWS, It message a box with information
that is heap corruption.
I use Visual Studio to debug it and find that in
src/os/win32/ngx_file.c line 224 ngx_win32_rename_file() .
When I do like this:

ngx_err_t
ngx_win32_rename_file(ngx_str_t *from, ngx_str_t *to, ngx_log_t *log)
{
u_char *name;
ngx_err_t err;
ngx_uint_t collision;
ngx_atomic_uint_t num;
size_t size;

size = to->len + 1 + 10 + 1 + sizeof("DELETE") + 1;

name = ngx_alloc(size, log);
if (name == NULL) {
    return NGX_ENOMEM;
}

ngx_memzero(name,size);

ngx_memcpy(name, to->data, to->len);

...


}

It run OK…

Posted at Nginx Forum:

2

Hello!

On Sun, Aug 21, 2011 at 12:07:06PM -0400, hydra wrote:

u_char             *name;
ngx_err_t           err;
ngx_uint_t          collision;
ngx_atomic_uint_t   num;
size_t              size;

size = to->len + 1 + 10 + 1 + sizeof("DELETE") + 1;

Thank you for report. It looks like “10” here should be
instead NGX_ATOMIC_T_LEN here.

Could you please test the following patch?

diff --git a/src/os/win32/ngx_files.c b/src/os/win32/ngx_files.c
— a/src/os/win32/ngx_files.c
+++ b/src/os/win32/ngx_files.c
@@ -228,7 +228,8 @@ ngx_win32_rename_file(ngx_str_t *from, n
ngx_uint_t collision;
ngx_atomic_uint_t num;

  • name = ngx_alloc(to->len + 1 + 10 + 1 + sizeof(“DELETE”), log);
  • name = ngx_alloc(to->len + 1 + NGX_ATOMIC_T_LEN + 1 +
    sizeof(“DELETE”),
  •                 log);
    if (name == NULL) {
    return NGX_ENOMEM;
    }

Maxim D.

3

On Sun, Aug 21, 2011 at 12:07:06PM -0400, hydra wrote:

u_char             *name;
}

ngx_memzero(name,size);

ngx_memcpy(name, to->data, to->len);

...


}

It run OK…

ngx_memzero() is useless here.
Have you built in 64-bit mode ?


Igor S.

4

Hello!

On Sun, Aug 21, 2011 at 08:54:47PM +0400, Igor S. wrote:

[…]

Have you built in 64-bit mode ?

I believe even on 32-bit %0muA will be 11 bytes long, which is a
bit to many to fit into 10 bytes allocated.

Maxim D.

5

Igor S. Wrote:

When I do like this:

ngx_memcpy(name, to->data, to->len);


Igor S.

nginx mailing list
[email protected]
nginx Info Page

Yes, I built in 64-bit mode.But I use Visual Studio 2008 32-bit.So…

Posted at Nginx Forum:

6

On Sun, Aug 21, 2011 at 11:09:12PM +0400, Maxim D. wrote:

Hello!

On Sun, Aug 21, 2011 at 08:54:47PM +0400, Igor S. wrote:

[…]

Have you built in 64-bit mode ?

I believe even on 32-bit %0muA will be 11 bytes long, which is a
bit to many to fit into 10 bytes allocated.

Yes, you are right, please commit this fix.


Igor S.

7

On Sun, Aug 21, 2011 at 09:56:17PM -0400, hydra wrote:

Hello, Maxim D.
I test your patch, it works very OK.The heap memory is emough to
save name string.

Hi,I want to ask a problem.   In function that

ngx_win32_rename_file() ,there is a comment that /* mutex_lock() (per
cache or single ?) */.
Is it useless? I mean mutext_lock is useless in
ngx_win32_rename_file()?

Yes, it’s useless.


Igor S.

8

Hello, Maxim D.
I test your patch, it works very OK.The heap memory is emough to
save name string.

Hi,I want to ask a problem.   In function that

ngx_win32_rename_file() ,there is a comment that /* mutex_lock() (per
cache or single ?) */.
Is it useless? I mean mutext_lock is useless in
ngx_win32_rename_file()?

Maxim D. Wrote:

in

ngx_uint_t          collision;

Could you please test the following patch?

  • name = ngx_alloc(to->len + 1 + 10 + 1 +

nginx mailing list
[email protected]
nginx Info Page

Posted at Nginx Forum:

9

Maxim D. Wrote:

Thanks for testing, the patch was committed and
will be included
in upcoming 1.1.1 release.

Maxim D.

nginx mailing list
[email protected]
nginx Info Page

I hope nginx will run OK in WINDOWS. And When can Nginx run in WINDOWS
with IOCP?

Posted at Nginx Forum:

10

Hello!

On Sun, Aug 21, 2011 at 09:56:17PM -0400, hydra wrote:

Hello, Maxim D.
I test your patch, it works very OK.The heap memory is emough to
save name string.

Thanks for testing, the patch was committed and will be included
in upcoming 1.1.1 release.

Maxim D.