Segfault in nginx 1.2.0 and 1.2.2 when serving 400 error pages via a reverse proxied host

Earlier this year we noticed a large number of segfaulting nginx
processes.

This turned out to be an instance of:

whereby we had a config snippet which looked like:

error_page 400 @fallback

Triggered (we think) by someone running an exploit for CVE-2009-3896

I can reproduce the segfault by running:

$ echo -e “GET $(perl -e ‘print “o” x 4079;’)/ HTTP/1.1\r\n\r\n”|openssl
s_client -connect 256.256.256.256:443

(where 256.256.256.256 is the address of an nginx host configured with
SSL)

Here’s a gdb backtrace. Unfortunately, my debugging skills aren’t quite
up to dealing with this as so far as I can tell, the optimiser has had
its wicked way and rearranged everything, making it difficult to match
the disassembly with the code.

Is this helpful to anyone?

Also, I discovered that your nginx-debug RPM doesn’t actually include
debug symbols (!)
On CentOS 5 I fixed this by adding to the top of the spec file:

%define __os_install_post
/usr/lib/rpm/brp-compress
/usr/lib/rpm/brp-strip-static-archive
/usr/lib/rpm/brp-strip-comment-note \

Which is redefining __os_install_post to be the same as usual, minus the
call to /usr/lib/rpm/brp-strip

What was happening was that the nginx binary was built, complete with
symbols, copied to nginx.debug, then the original binary was stripped.

Then, __os_install_post ran, which called brp-strip. brp-strip goes and
strips all the executables it can find, including nginx.debug!

GNU gdb (GDB) CentOS (7.0.1-42.el5.centos)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show
copying”
and “show warranty” for details.
This GDB was configured as “x86_64-redhat-linux-gnu”.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Attaching to process 6810
Reading symbols from /usr/sbin/nginx.debug…done.
Reading symbols from /lib64/libpthread.so.0…(no debugging symbols
found)…done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libcrypt.so.1…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/libpcre.so.0…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libpcre.so.0
Reading symbols from /lib64/libssl.so.6…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libssl.so.6
Reading symbols from /lib64/libcrypto.so.6…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libcrypto.so.6
Reading symbols from /lib64/libdl.so.2…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /lib64/libz.so.1…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libz.so.1
Reading symbols from /lib64/libc.so.6…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2…(no debugging symbols
found)…done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib64/libgssapi_krb5.so.2…(no debugging
symbols found)…done.
Loaded symbols for /usr/lib64/libgssapi_krb5.so.2
Reading symbols from /usr/lib64/libkrb5.so.3…(no debugging symbols
found)…done.
Loaded symbols for /usr/lib64/libkrb5.so.3
Reading symbols from /lib64/libcom_err.so.2…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libk5crypto.so.3…(no debugging symbols
found)…done.
Loaded symbols for /usr/lib64/libk5crypto.so.3
Reading symbols from /usr/lib64/libkrb5support.so.0…(no debugging
symbols found)…done.
Loaded symbols for /usr/lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libresolv.so.2…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libselinux.so.1…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /lib64/libsepol.so.1…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libsepol.so.1
Reading symbols from /lib64/libnss_files.so.2…(no debugging symbols
found)…done.
Loaded symbols for /lib64/libnss_files.so.2

warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x7fffc613d000
0x000000321ced3603 in __epoll_wait_nocancel () from /lib64/libc.so.6
(gdb)
(gdb)
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000321ce7ab6e in memcpy () from /lib64/libc.so.6
(gdb) bt
#0 0x000000321ce7ab6e in memcpy () from /lib64/libc.so.6
#1 0x000000000046a99f in ngx_http_proxy_create_request (r=0x12c3a110)
at src/http/modules/ngx_http_proxy_module.c:1067
#2 0x000000000044a023 in ngx_http_upstream_init_request (r=0x12c3a110)
at src/http/ngx_http_upstream.c:505
#3 0x000000000043ef26 in ngx_http_read_client_request_body
(r=0x12c3a110, post_handler=0x44a690 <ngx_http_upstream_init>) at
src/http/ngx_http_request_body.c:155
#4 0x0000000000468ecb in ngx_http_proxy_handler (r=0x12c3a110) at
src/http/modules/ngx_http_proxy_module.c:702
#5 0x00000000004325bc in ngx_http_core_content_phase (r=0x12c3a110,
ph=0x12c3df18) at src/http/ngx_http_core_module.c:1396
#6 0x000000000042d2ad in ngx_http_core_run_phases (r=0x12c3a110) at
src/http/ngx_http_core_module.c:877
#7 0x00000000004312d0 in ngx_http_named_location (r=0x12c3a110,
name=0x7fffc606fa20) at src/http/ngx_http_core_module.c:2603
#8 0x00000000004346a7 in ngx_http_send_error_page (r=0x12c3a110,
error=) at src/http/ngx_http_special_response.c:573
#9 ngx_http_special_response_handler (r=0x12c3a110, error=) at src/http/ngx_http_special_response.c:415
#10 0x00000000004379d1 in ngx_http_finalize_request (r=0x12c3a110,
rc=400) at src/http/ngx_http_request.c:2004
#11 0x00000000004392ab in ngx_http_process_request_line
(rev=0x2b982deef148) at src/http/ngx_http_request.c:943
#12 0x000000000041d2e4 in ngx_event_process_posted (cycle=0x12c01640,
posted=0x6bd4a8) at src/event/ngx_event_posted.c:40
#13 0x00000000004241c6 in ngx_worker_process_cycle (cycle=0x12c01640,
data=) at src/os/unix/ngx_process_cycle.c:808
#14 0x00000000004226dd in ngx_spawn_process (cycle=0x12c01640,
proc=0x424100 <ngx_worker_process_cycle>, data=0x0, name=0x48d306
“worker process”, respawn=-3) at src/os/unix/ngx_process.c:198
#15 0x00000000004236fc in ngx_start_worker_processes (cycle=0x12c01640,
n=4, type=-3) at src/os/unix/ngx_process_cycle.c:365
#16 0x0000000000424994 in ngx_master_process_cycle (cycle=0x12c01640) at
src/os/unix/ngx_process_cycle.c:137
#17 0x00000000004066e5 in main (argc=3, argv=) at
src/core/nginx.c:410
(gdb) disassemble 0x000000000046a99f
Dump of assembler code for function ngx_http_proxy_create_request:
0x000000000046a520 <ngx_http_proxy_create_request+0>: push %r15
0x000000000046a522 <ngx_http_proxy_create_request+2>: push %r14
0x000000000046a524 <ngx_http_proxy_create_request+4>: push %r13
0x000000000046a526 <ngx_http_proxy_create_request+6>: push %r12
0x000000000046a528 <ngx_http_proxy_create_request+8>: push %rbp
0x000000000046a529 <ngx_http_proxy_create_request+9>: push %rbx
0x000000000046a52a <ngx_http_proxy_create_request+10>: sub
$0x128,%rsp
0x000000000046a531 <ngx_http_proxy_create_request+17>: mov
0x48(%rdi),%rax
0x000000000046a535 <ngx_http_proxy_create_request+21>: mov
%rdi,0x10(%rsp)
0x000000000046a53a <ngx_http_proxy_create_request+26>: mov
%rax,0x38(%rsp)
0x000000000046a53f <ngx_http_proxy_create_request+31>: mov
0x249b5a(%rip),%rax # 0x6b40a0 <ngx_http_proxy_module>
0x000000000046a546 <ngx_http_proxy_create_request+38>: mov
0x38(%rsp),%rcx
0x000000000046a54b <ngx_http_proxy_create_request+43>: lea
0x0(,%rax,8),%rdx
0x000000000046a553 <ngx_http_proxy_create_request+51>: mov
0x28(%rdi),%rax
0x000000000046a557 <ngx_http_proxy_create_request+55>: mov
(%rax,%rdx,1),%rax
0x000000000046a55b <ngx_http_proxy_create_request+59>: mov
%rax,0x48(%rsp)
0x000000000046a560 <ngx_http_proxy_create_request+64>: mov
0x320(%rcx),%rax
0x000000000046a567 <ngx_http_proxy_create_request+71>: test %rax,%rax
0x000000000046a56a <ngx_http_proxy_create_request+74>: je 0x46a830
<ngx_http_proxy_create_request+784>
0x000000000046a570 <ngx_http_proxy_create_request+80>: mov
0x328(%rcx),%rcx
0x000000000046a577 <ngx_http_proxy_create_request+87>: add $0x1,%rax
0x000000000046a57b <ngx_http_proxy_create_request+91>: mov
%rax,0x58(%rsp)
0x000000000046a580 <ngx_http_proxy_create_request+96>: mov
%rcx,0x50(%rsp)
0x000000000046a585 <ngx_http_proxy_create_request+101>: mov
0x10(%rsp),%rcx
0x000000000046a58a <ngx_http_proxy_create_request+106>: cmpq
$0x5,0x58(%rsp)
0x000000000046a590 <ngx_http_proxy_create_request+112>: mov
0x10(%rcx),%rax
0x000000000046a594 <ngx_http_proxy_create_request+116>: mov
(%rdx,%rax,1),%rdx
0x000000000046a598 <ngx_http_proxy_create_request+120>: mov
%rdx,0x40(%rsp)
0x000000000046a59d <ngx_http_proxy_create_request+125>: je 0x46a93f
<ngx_http_proxy_create_request+1055>
0x000000000046a5a3 <ngx_http_proxy_create_request+131>: mov
0x48(%rsp),%rdx
0x000000000046a5a8 <ngx_http_proxy_create_request+136>: cmpq
$0x0,0x1b0(%rdx)
0x000000000046a5b0 <ngx_http_proxy_create_request+144>: je 0x46a74e
<ngx_http_proxy_create_request+558>
0x000000000046a5b6 <ngx_http_proxy_create_request+150>: mov
0x40(%rsp),%rcx
0x000000000046a5bb <ngx_http_proxy_create_request+155>: xor
%edx,%edx
0x000000000046a5bd <ngx_http_proxy_create_request+157>: mov
0x68(%rcx),%rax
0x000000000046a5c1 <ngx_http_proxy_create_request+161>: test
%rax,%rax
0x000000000046a5c4 <ngx_http_proxy_create_request+164>: je 0x46a75c
<ngx_http_proxy_create_request+572>
0x000000000046a5ca <ngx_http_proxy_create_request+170>: movq
$0x0,0x18(%rsp)
0x000000000046a5d3 <ngx_http_proxy_create_request+179>: movq
$0x0,0x20(%rsp)
0x000000000046a5dc <ngx_http_proxy_create_request+188>: movq
$0x0,0x28(%rsp)
0x000000000046a5e5 <ngx_http_proxy_create_request+197>: mov
0x58(%rsp),%rcx
0x000000000046a5ea <ngx_http_proxy_create_request+202>: mov
0x10(%rsp),%rdi
0x000000000046a5ef <ngx_http_proxy_create_request+207>: lea
0xd(%rcx,%rax,1),%rbx
0x000000000046a5f4 <ngx_http_proxy_create_request+212>: mov
0x48(%rsp),%rax
0x000000000046a5f9 <ngx_http_proxy_create_request+217>: mov
0x170(%rax),%rsi
0x000000000046a600 <ngx_http_proxy_create_request+224>: callq 0x441c40
<ngx_http_script_flush_no_cacheable_variables>
0x000000000046a605 <ngx_http_proxy_create_request+229>: mov
0x48(%rsp),%rdx
0x000000000046a60a <ngx_http_proxy_create_request+234>: mov
0x178(%rdx),%rax
0x000000000046a611 <ngx_http_proxy_create_request+241>: test
%rax,%rax
0x000000000046a614 <ngx_http_proxy_create_request+244>: je 0x46a65f
<ngx_http_proxy_create_request+319>
0x000000000046a616 <ngx_http_proxy_create_request+246>: mov
(%rax),%rax
0x000000000046a619 <ngx_http_proxy_create_request+249>: orb
$0x1,0xa0(%rsp)
0x000000000046a621 <ngx_http_proxy_create_request+257>: xor
%ebp,%ebp
0x000000000046a623 <ngx_http_proxy_create_request+259>: mov
0x10(%rsp),%rcx
0x000000000046a628 <ngx_http_proxy_create_request+264>: cmpq
$0x0,(%rax)
0x000000000046a62c <ngx_http_proxy_create_request+268>: mov
%rax,0x60(%rsp)
0x000000000046a631 <ngx_http_proxy_create_request+273>: mov
%rcx,0xb0(%rsp)
0x000000000046a639 <ngx_http_proxy_create_request+281>: je 0x46a653
<ngx_http_proxy_create_request+307>
0x000000000046a63b <ngx_http_proxy_create_request+283>: lea
0x60(%rsp),%r12
0x000000000046a640 <ngx_http_proxy_create_request+288>: mov
%r12,%rdi
0x000000000046a643 <ngx_http_proxy_create_request+291>: callq *(%rax)
0x000000000046a645 <ngx_http_proxy_create_request+293>: add
%rax,%rbp
0x000000000046a648 <ngx_http_proxy_create_request+296>: mov
0x60(%rsp),%rax
0x000000000046a64d <ngx_http_proxy_create_request+301>: cmpq
$0x0,(%rax)
0x000000000046a651 <ngx_http_proxy_create_request+305>: jne 0x46a640
<ngx_http_proxy_create_request+288>
0x000000000046a653 <ngx_http_proxy_create_request+307>: mov
0x40(%rsp),%rax
0x000000000046a658 <ngx_http_proxy_create_request+312>: add
%rbp,%rbx
0x000000000046a65b <ngx_http_proxy_create_request+315>: mov
%rbp,0x78(%rax)
0x000000000046a65f <ngx_http_proxy_create_request+319>: mov
0x48(%rsp),%rdx
0x000000000046a664 <ngx_http_proxy_create_request+324>: mov
0x10(%rsp),%rcx
0x000000000046a669 <ngx_http_proxy_create_request+329>: lea
0x60(%rsp),%r12
0x000000000046a66e <ngx_http_proxy_create_request+334>: mov
0x188(%rdx),%rax
0x000000000046a675 <ngx_http_proxy_create_request+341>: mov
%rcx,0xb0(%rsp)
0x000000000046a67d <ngx_http_proxy_create_request+349>: mov
(%rax),%rax
0x000000000046a680 <ngx_http_proxy_create_request+352>: orb
$0x1,0xa0(%rsp)
0x000000000046a688 <ngx_http_proxy_create_request+360>: cmpq
$0x0,(%rax)
0x000000000046a68c <ngx_http_proxy_create_request+364>: mov
%rax,0x60(%rsp)
—Type to continue, or q to quit—
0x000000000046a691 <ngx_http_proxy_create_request+369>: je 0x46a6bb
<ngx_http_proxy_create_request+411>
0x000000000046a693 <ngx_http_proxy_create_request+371>: mov
0x60(%rsp),%rdx
0x000000000046a698 <ngx_http_proxy_create_request+376>: mov
%r12,%rdi
0x000000000046a69b <ngx_http_proxy_create_request+379>: callq *(%rdx)
0x000000000046a69d <ngx_http_proxy_create_request+381>: mov
0x60(%rsp),%rdx
0x000000000046a6a2 <ngx_http_proxy_create_request+386>: add
%rax,%rbx
0x000000000046a6a5 <ngx_http_proxy_create_request+389>: cmpq
$0x0,(%rdx)
0x000000000046a6a9 <ngx_http_proxy_create_request+393>: jne 0x46a698
<ngx_http_proxy_create_request+376>
0x000000000046a6ab <ngx_http_proxy_create_request+395>: cmpq
$0x0,0x8(%rdx)
0x000000000046a6b0 <ngx_http_proxy_create_request+400>: lea
0x8(%rdx),%rax
0x000000000046a6b4 <ngx_http_proxy_create_request+404>: mov
%rax,0x60(%rsp)
0x000000000046a6b9 <ngx_http_proxy_create_request+409>: jne 0x46a693
<ngx_http_proxy_create_request+371>
0x000000000046a6bb <ngx_http_proxy_create_request+411>: mov
0x48(%rsp),%rax
0x000000000046a6c0 <ngx_http_proxy_create_request+416>: cmpq
$0x0,0x98(%rax)
0x000000000046a6c8 <ngx_http_proxy_create_request+424>: je 0x46a90d
<ngx_http_proxy_create_request+1005>
0x000000000046a6ce <ngx_http_proxy_create_request+430>: mov
0x10(%rsp),%rdx
0x000000000046a6d3 <ngx_http_proxy_create_request+435>: mov
0x10(%rsp),%r12
0x000000000046a6d8 <ngx_http_proxy_create_request+440>: mov
%rax,%r15
0x000000000046a6db <ngx_http_proxy_create_request+443>: xor
%r13d,%r13d
0x000000000046a6de <ngx_http_proxy_create_request+446>: add
$0x198,%r15
0x000000000046a6e5 <ngx_http_proxy_create_request+453>: mov
0x70(%rdx),%r14
0x000000000046a6e9 <ngx_http_proxy_create_request+457>: add
$0x70,%r12
0x000000000046a6ed <ngx_http_proxy_create_request+461>: cmp
0x8(%r12),%r13
0x000000000046a6f2 <ngx_http_proxy_create_request+466>: jb 0x46a73f
<ngx_http_proxy_create_request+543>
0x000000000046a6f4 <ngx_http_proxy_create_request+468>: mov
0x10(%r12),%r12
0x000000000046a6f9 <ngx_http_proxy_create_request+473>: test
%r12,%r12
0x000000000046a6fc <ngx_http_proxy_create_request+476>: je 0x46a90d
<ngx_http_proxy_create_request+1005>
0x000000000046a702 <ngx_http_proxy_create_request+482>: mov
(%r12),%r14
0x000000000046a706 <ngx_http_proxy_create_request+486>: xor
%eax,%eax
0x000000000046a708 <ngx_http_proxy_create_request+488>: mov
$0x1,%r13d
0x000000000046a70e <ngx_http_proxy_create_request+494>: lea
(%r14,%rax,1),%rbp
0x000000000046a712 <ngx_http_proxy_create_request+498>: mov
%r15,%rdi
0x000000000046a715 <ngx_http_proxy_create_request+501>: mov
0x8(%rbp),%rcx
0x000000000046a719 <ngx_http_proxy_create_request+505>: mov
0x28(%rbp),%rdx
0x000000000046a71d <ngx_http_proxy_create_request+509>: mov
0x0(%rbp),%rsi
0x000000000046a721 <ngx_http_proxy_create_request+513>: callq 0x407a50
<ngx_hash_find>
0x000000000046a726 <ngx_http_proxy_create_request+518>: test
%rax,%rax
0x000000000046a729 <ngx_http_proxy_create_request+521>: jne 0x46a6ed
<ngx_http_proxy_create_request+461>
0x000000000046a72b <ngx_http_proxy_create_request+523>: mov
0x18(%rbp),%rax
0x000000000046a72f <ngx_http_proxy_create_request+527>: add
0x8(%rbp),%rax
0x000000000046a733 <ngx_http_proxy_create_request+531>: cmp
0x8(%r12),%r13
0x000000000046a738 <ngx_http_proxy_create_request+536>: lea
0x4(%rax,%rbx,1),%rbx
0x000000000046a73d <ngx_http_proxy_create_request+541>: jae 0x46a6f4
<ngx_http_proxy_create_request+468>
0x000000000046a73f <ngx_http_proxy_create_request+543>: lea
0x0(%r13,%r13,2),%rax
0x000000000046a744 <ngx_http_proxy_create_request+548>: add
$0x1,%r13
0x000000000046a748 <ngx_http_proxy_create_request+552>: shl
$0x4,%rax
0x000000000046a74c <ngx_http_proxy_create_request+556>: jmp 0x46a70e
<ngx_http_proxy_create_request+494>
0x000000000046a74e <ngx_http_proxy_create_request+558>: mov
0x40(%rsp),%rax
0x000000000046a753 <ngx_http_proxy_create_request+563>: mov
0x68(%rax),%rdx
0x000000000046a757 <ngx_http_proxy_create_request+567>: test
%rdx,%rdx
0x000000000046a75a <ngx_http_proxy_create_request+570>: jne 0x46a76e
<ngx_http_proxy_create_request+590>
0x000000000046a75c <ngx_http_proxy_create_request+572>: mov
0x10(%rsp),%rcx
0x000000000046a761 <ngx_http_proxy_create_request+577>: testb
$0x10,0x43c(%rcx)
0x000000000046a768 <ngx_http_proxy_create_request+584>: jne 0x46a890
<ngx_http_proxy_create_request+880>
0x000000000046a76e <ngx_http_proxy_create_request+590>: mov
0x10(%rsp),%rax
0x000000000046a773 <ngx_http_proxy_create_request+595>: testb
$0x8,0x43c(%rax)
0x000000000046a77a <ngx_http_proxy_create_request+602>: jne 0x46a871
<ngx_http_proxy_create_request+849>
0x000000000046a780 <ngx_http_proxy_create_request+608>: movq
$0x0,0x18(%rsp)
0x000000000046a789 <ngx_http_proxy_create_request+617>: mov
0x10(%rsp),%rcx
0x000000000046a78e <ngx_http_proxy_create_request+622>: mov
$0x140000000,%rax
0x000000000046a798 <ngx_http_proxy_create_request+632>: test
%rax,0x438(%rcx)
0x000000000046a79f <ngx_http_proxy_create_request+639>: jne 0x46a8da
<ngx_http_proxy_create_request+954>
0x000000000046a7a5 <ngx_http_proxy_create_request+645>: movq
$0x0,0x20(%rsp)
0x000000000046a7ae <ngx_http_proxy_create_request+654>: testb
$0x10,0x440(%rcx)
0x000000000046a7b5 <ngx_http_proxy_create_request+661>: jne 0x46a8da
<ngx_http_proxy_create_request+954>
0x000000000046a7bb <ngx_http_proxy_create_request+667>: mov
0x10(%rsp),%rdx
0x000000000046a7c0 <ngx_http_proxy_create_request+672>: mov
0x40(%rsp),%rcx
0x000000000046a7c5 <ngx_http_proxy_create_request+677>: movq
$0x0,0x28(%rsp)
0x000000000046a7ce <ngx_http_proxy_create_request+686>: mov
0x330(%rdx),%rax
0x000000000046a7d5 <ngx_http_proxy_create_request+693>: add
0x68(%rcx),%rax
0x000000000046a7d9 <ngx_http_proxy_create_request+697>: add
$0x1,%rax
0x000000000046a7dd <ngx_http_proxy_create_request+701>: add
0x340(%rdx),%rax
0x000000000046a7e4 <ngx_http_proxy_create_request+708>: sub
0x18(%rsp),%rax
0x000000000046a7e9 <ngx_http_proxy_create_request+713>: add
0x20(%rsp),%rax
0x000000000046a7ee <ngx_http_proxy_create_request+718>: test
%rax,%rax
0x000000000046a7f1 <ngx_http_proxy_create_request+721>: jne 0x46a5e5
<ngx_http_proxy_create_request+197>
0x000000000046a7f7 <ngx_http_proxy_create_request+727>: mov
0x10(%rsp),%rdx
0x000000000046a7fc <ngx_http_proxy_create_request+732>: mov
0x8(%rdx),%rax
0x000000000046a800 <ngx_http_proxy_create_request+736>: mov
0x50(%rax),%rsi
0x000000000046a804 <ngx_http_proxy_create_request+740>: cmpq
$0x3,(%rsi)
0x000000000046a808 <ngx_http_proxy_create_request+744>: jbe 0x46a926
<ngx_http_proxy_create_request+1030>
0x000000000046a80e <ngx_http_proxy_create_request+750>: xor
%eax,%eax
0x000000000046a810 <ngx_http_proxy_create_request+752>: mov
$0x495e80,%ecx
0x000000000046a815 <ngx_http_proxy_create_request+757>: xor
%edx,%edx
0x000000000046a817 <ngx_http_proxy_create_request+759>: mov
$0x4,%edi
0x000000000046a81c <ngx_http_proxy_create_request+764>: callq 0x4069e0
<ngx_log_error_core>
0x000000000046a821 <ngx_http_proxy_create_request+769>: mov
$0xffffffffffffffff,%rax
0x000000000046a828 <ngx_http_proxy_create_request+776>: jmpq 0x46a92d
<ngx_http_proxy_create_request+1037>
0x000000000046a82d <ngx_http_proxy_create_request+781>: nopl (%rax)
0x000000000046a830 <ngx_http_proxy_create_request+784>: mov
0x48(%rsp),%rax
0x000000000046a835 <ngx_http_proxy_create_request+789>: mov
0x1e8(%rax),%rax
0x000000000046a83c <ngx_http_proxy_create_request+796>: test
%rax,%rax
0x000000000046a83f <ngx_http_proxy_create_request+799>: mov
%rax,0x58(%rsp)
0x000000000046a844 <ngx_http_proxy_create_request+804>: jne 0x46a8c4
<ngx_http_proxy_create_request+932>
0x000000000046a846 <ngx_http_proxy_create_request+806>: mov
0x10(%rsp),%rax
0x000000000046a84b <ngx_http_proxy_create_request+811>: mov
0x10(%rsp),%rcx
0x000000000046a850 <ngx_http_proxy_create_request+816>: mov
0x378(%rax),%rax
0x000000000046a857 <ngx_http_proxy_create_request+823>: mov
%rax,0x50(%rsp)
0x000000000046a85c <ngx_http_proxy_create_request+828>: mov
0x370(%rcx),%rax
0x000000000046a863 <ngx_http_proxy_create_request+835>: add
$0x1,%rax
0x000000000046a867 <ngx_http_proxy_create_request+839>: mov
%rax,0x58(%rsp)
0x000000000046a86c <ngx_http_proxy_create_request+844>: jmpq 0x46a585
<ngx_http_proxy_create_request+101>
0x000000000046a871 <ngx_http_proxy_create_request+849>: test
%rdx,%rdx
0x000000000046a874 <ngx_http_proxy_create_request+852>: je 0x46a780
<ngx_http_proxy_create_request+608>
0x000000000046a87a <ngx_http_proxy_create_request+858>: mov
0x48(%rsp),%rdx
0x000000000046a87f <ngx_http_proxy_create_request+863>: mov
0x1f8(%rdx),%rdx
0x000000000046a886 <ngx_http_proxy_create_request+870>: mov
%rdx,0x18(%rsp)
0x000000000046a88b <ngx_http_proxy_create_request+875>: jmpq 0x46a789
<ngx_http_proxy_create_request+617>
0x000000000046a890 <ngx_http_proxy_create_request+880>: cmp
%rcx,0x398(%rcx)
0x000000000046a897 <ngx_http_proxy_create_request+887>: jne 0x46a76e
<ngx_http_proxy_create_request+590>
0x000000000046a89d <ngx_http_proxy_create_request+893>: mov
0x360(%rcx),%rax
0x000000000046a8a4 <ngx_http_proxy_create_request+900>: movq
$0x0,0x18(%rsp)
0x000000000046a8ad <ngx_http_proxy_create_request+909>: movq
$0x0,0x20(%rsp)
0x000000000046a8b6 <ngx_http_proxy_create_request+918>: movq
$0x1,0x28(%rsp)
0x000000000046a8bf <ngx_http_proxy_create_request+927>: jmpq 0x46a7ee
<ngx_http_proxy_create_request+718>
0x000000000046a8c4 <ngx_http_proxy_create_request+932>: mov
0x48(%rsp),%rcx
0x000000000046a8c9 <ngx_http_proxy_create_request+937>: mov
0x1f0(%rcx),%rcx
0x000000000046a8d0 <ngx_http_proxy_create_request+944>: mov
%rcx,0x50(%rsp)
0x000000000046a8d5 <ngx_http_proxy_create_request+949>: jmpq 0x46a585
<ngx_http_proxy_create_request+101>
0x000000000046a8da <ngx_http_proxy_create_request+954>: mov
0x10(%rsp),%rax
0x000000000046a8df <ngx_http_proxy_create_request+959>: mov
0x18(%rsp),%rsi
0x000000000046a8e4 <ngx_http_proxy_create_request+964>: xor
%ecx,%ecx
0x000000000046a8e6 <ngx_http_proxy_create_request+966>: xor
%edi,%edi
0x000000000046a8e8 <ngx_http_proxy_create_request+968>: mov
0x330(%rax),%rdx
0x000000000046a8ef <ngx_http_proxy_create_request+975>: add
0x338(%rax),%rsi
0x000000000046a8f6 <ngx_http_proxy_create_request+982>: sub
0x18(%rsp),%rdx
0x000000000046a8fb <ngx_http_proxy_create_request+987>: callq 0x40a6f0
<ngx_escape_uri>
0x000000000046a900 <ngx_http_proxy_create_request+992>: add
%rax,%rax
0x000000000046a903 <ngx_http_proxy_create_request+995>: mov
%rax,0x20(%rsp)
0x000000000046a908 <ngx_http_proxy_create_request+1000>: jmpq
0x46a7bb <ngx_http_proxy_create_request+667>
0x000000000046a90d <ngx_http_proxy_create_request+1005>: mov
0x10(%rsp),%rcx
0x000000000046a912 <ngx_http_proxy_create_request+1010>: mov
%rbx,%rsi
0x000000000046a915 <ngx_http_proxy_create_request+1013>: mov
0x58(%rcx),%rdi
0x000000000046a919 <ngx_http_proxy_create_request+1017>: callq
0x408fd0 <ngx_create_temp_buf>
0x000000000046a91e <ngx_http_proxy_create_request+1022>: test
%rax,%rax
0x000000000046a921 <ngx_http_proxy_create_request+1025>: mov
%rax,%rbp
0x000000000046a924 <ngx_http_proxy_create_request+1028>: jne
0x46a971 <ngx_http_proxy_create_request+1105>
0x000000000046a926 <ngx_http_proxy_create_request+1030>: mov
$0xffffffffffffffff,%rax
0x000000000046a92d <ngx_http_proxy_create_request+1037>: add
$0x128,%rsp
0x000000000046a934 <ngx_http_proxy_create_request+1044>: pop %rbx
0x000000000046a935 <ngx_http_proxy_create_request+1045>: pop %rbp
0x000000000046a936 <ngx_http_proxy_create_request+1046>: pop %r12
0x000000000046a938 <ngx_http_proxy_create_request+1048>: pop %r13
0x000000000046a93a <ngx_http_proxy_create_request+1050>: pop %r14
0x000000000046a93c <ngx_http_proxy_create_request+1052>: pop %r15
0x000000000046a93e <ngx_http_proxy_create_request+1054>: retq
0x000000000046a93f <ngx_http_proxy_create_request+1055>: mov
0x50(%rsp),%rdi
0x000000000046a944 <ngx_http_proxy_create_request+1060>: mov
$0x5,%edx
0x000000000046a949 <ngx_http_proxy_create_request+1065>: mov
$0x495e7a,%esi
0x000000000046a94e <ngx_http_proxy_create_request+1070>: callq
0x409c90 <ngx_strncasecmp>
0x000000000046a953 <ngx_http_proxy_create_request+1075>: test
%rax,%rax
0x000000000046a956 <ngx_http_proxy_create_request+1078>: jne
0x46a5a3 <ngx_http_proxy_create_request+131>
0x000000000046a95c <ngx_http_proxy_create_request+1084>: mov
0x40(%rsp),%rax
0x000000000046a961 <ngx_http_proxy_create_request+1089>: movq
$0x1,0x98(%rax)
0x000000000046a96c <ngx_http_proxy_create_request+1100>: jmpq
0x46a5a3 <ngx_http_proxy_create_request+131>
0x000000000046a971 <ngx_http_proxy_create_request+1105>: mov
0x10(%rsp),%rax
0x000000000046a976 <ngx_http_proxy_create_request+1110>: mov
0x58(%rax),%rdi
0x000000000046a97a <ngx_http_proxy_create_request+1114>: callq
0x408df0 <ngx_alloc_chain_link>
0x000000000046a97f <ngx_http_proxy_create_request+1119>: test
%rax,%rax
0x000000000046a982 <ngx_http_proxy_create_request+1122>: mov
%rax,0x30(%rsp)
0x000000000046a987 <ngx_http_proxy_create_request+1127>: je
0x46a926 <ngx_http_proxy_create_request+1030>
0x000000000046a989 <ngx_http_proxy_create_request+1129>: mov
0x58(%rsp),%rdx
0x000000000046a98e <ngx_http_proxy_create_request+1134>: mov
0x8(%rbp),%rdi
0x000000000046a992 <ngx_http_proxy_create_request+1138>: mov
0x50(%rsp),%rsi
0x000000000046a997 <ngx_http_proxy_create_request+1143>: mov
%rbp,(%rax)
0x000000000046a99a <ngx_http_proxy_create_request+1146>: callq
0x404798 memcpy@plt
0x000000000046a99f <ngx_http_proxy_create_request+1151>: mov
0x48(%rsp),%rcx
0x000000000046a9a4 <ngx_http_proxy_create_request+1156>: add
0x58(%rsp),%rax
0x000000000046a9a9 <ngx_http_proxy_create_request+1161>: mov
0x38(%rsp),%rdx
0x000000000046a9ae <ngx_http_proxy_create_request+1166>: cmpq
$0x0,0x1b0(%rcx)
0x000000000046a9b6 <ngx_http_proxy_create_request+1174>: mov
%rax,0x8(%rbp)
0x000000000046a9ba <ngx_http_proxy_create_request+1178>: mov
%rax,0x348(%rdx)
0x000000000046a9c1 <ngx_http_proxy_create_request+1185>: je
0x46a9d5 <ngx_http_proxy_create_request+1205>
0x000000000046a9c3 <ngx_http_proxy_create_request+1187>: mov
0x40(%rsp),%rax
0x000000000046a9c8 <ngx_http_proxy_create_request+1192>: mov
0x68(%rax),%rdx
0x000000000046a9cc <ngx_http_proxy_create_request+1196>: test
%rdx,%rdx
0x000000000046a9cf <ngx_http_proxy_create_request+1199>: jne
0x46ac3d <ngx_http_proxy_create_request+1821>
0x000000000046a9d5 <ngx_http_proxy_create_request+1205>: cmpq
$0x0,0x28(%rsp)
0x000000000046a9db <ngx_http_proxy_create_request+1211>: jne
0x46ae09 <ngx_http_proxy_create_request+2281>
0x000000000046a9e1 <ngx_http_proxy_create_request+1217>: mov
0x10(%rsp),%rcx
0x000000000046a9e6 <ngx_http_proxy_create_request+1222>: testb
$0x8,0x43c(%rcx)
0x000000000046a9ed <ngx_http_proxy_create_request+1229>: jne
0x46af77 <ngx_http_proxy_create_request+2647>
0x000000000046a9f3 <ngx_http_proxy_create_request+1235>: cmpq
$0x0,0x20(%rsp)
0x000000000046a9f9 <ngx_http_proxy_create_request+1241>: je
0x46adc6 <ngx_http_proxy_create_request+2214>
0x000000000046a9ff <ngx_http_proxy_create_request+1247>: mov
0x10(%rsp),%rcx
0x000000000046aa04 <ngx_http_proxy_create_request+1252>: mov
0x18(%rsp),%rsi
0x000000000046aa09 <ngx_http_proxy_create_request+1257>: mov
0x8(%rbp),%rdi
0x000000000046aa0d <ngx_http_proxy_create_request+1261>: mov
0x330(%rcx),%rdx
0x000000000046aa14 <ngx_http_proxy_create_request+1268>: add
0x338(%rcx),%rsi
0x000000000046aa1b <ngx_http_proxy_create_request+1275>: xor
%ecx,%ecx
0x000000000046aa1d <ngx_http_proxy_create_request+1277>: sub
0x18(%rsp),%rdx
0x000000000046aa22 <ngx_http_proxy_create_request+1282>: callq
0x40a6f0 <ngx_escape_uri>
0x000000000046aa27 <ngx_http_proxy_create_request+1287>: mov
0x10(%rsp),%rax
0x000000000046aa2c <ngx_http_proxy_create_request+1292>: mov
0x18(%rsp),%rdx
0x000000000046aa31 <ngx_http_proxy_create_request+1297>: mov
0x330(%rax),%rax
0x000000000046aa38 <ngx_http_proxy_create_request+1304>: add
%rax,0x20(%rsp)
0x000000000046aa3d <ngx_http_proxy_create_request+1309>: sub
%rdx,0x20(%rsp)
0x000000000046aa42 <ngx_http_proxy_create_request+1314>: mov
0x20(%rsp),%rcx
0x000000000046aa47 <ngx_http_proxy_create_request+1319>: add
%rcx,0x8(%rbp)
0x000000000046aa4b <ngx_http_proxy_create_request+1323>: mov
0x10(%rsp),%rax
0x000000000046aa50 <ngx_http_proxy_create_request+1328>: cmpq
$0x0,0x340(%rax)
0x000000000046aa58 <ngx_http_proxy_create_request+1336>: jne
0x46af40 <ngx_http_proxy_create_request+2592>
0x000000000046aa5e <ngx_http_proxy_create_request+1342>: mov
0x38(%rsp),%rcx
0x000000000046aa63 <ngx_http_proxy_create_request+1347>: mov
0x8(%rbp),%rdx
0x000000000046aa67 <ngx_http_proxy_create_request+1351>: mov
%rdx,%rax
0x000000000046aa6a <ngx_http_proxy_create_request+1354>: sub
0x348(%rcx),%rax
0x000000000046aa71 <ngx_http_proxy_create_request+1361>: mov
%rax,0x340(%rcx)
0x000000000046aa78 <ngx_http_proxy_create_request+1368>: mov
0x48(%rsp),%rax
0x000000000046aa7d <ngx_http_proxy_create_request+1373>: cmpq
$0x3e9,0x298(%rax)
0x000000000046aa88 <ngx_http_proxy_create_request+1384>: je
0x46ad9a <ngx_http_proxy_create_request+2170>
0x000000000046aa8e <ngx_http_proxy_create_request+1390>: mov
0x2496df(%rip),%rax # 0x6b4174 <ngx_http_proxy_version>
0x000000000046aa95 <ngx_http_proxy_create_request+1397>: mov
%rax,(%rdx)
0x000000000046aa98 <ngx_http_proxy_create_request+1400>: movzwl
0x2496dd(%rip),%eax # 0x6b417c <ngx_http_proxy_version+8>
0x000000000046aa9f <ngx_http_proxy_create_request+1407>: mov
%ax,0x8(%rdx)
0x000000000046aaa3 <ngx_http_proxy_create_request+1411>: movzbl
0x2496d4(%rip),%eax # 0x6b417e <ngx_http_proxy_version+10>
0x000000000046aaaa <ngx_http_proxy_create_request+1418>: mov
%al,0xa(%rdx)
0x000000000046aaad <ngx_http_proxy_create_request+1421>: lea
0xb(%rdx),%rax
0x000000000046aab1 <ngx_http_proxy_create_request+1425>: mov
%rax,0x8(%rbp)
0x000000000046aab5 <ngx_http_proxy_create_request+1429>: lea
0xc0(%rsp),%r13
0x000000000046aabd <ngx_http_proxy_create_request+1437>: mov
$0x58,%edx
0x000000000046aac2 <ngx_http_proxy_create_request+1442>: xor
%esi,%esi
0x000000000046aac4 <ngx_http_proxy_create_request+1444>: mov
%r13,%rdi
0x000000000046aac7 <ngx_http_proxy_create_request+1447>: callq
0x403fe8 memset@plt
0x000000000046aacc <ngx_http_proxy_create_request+1452>: mov
0x48(%rsp),%rdx
0x000000000046aad1 <ngx_http_proxy_create_request+1457>: mov
0x10(%rsp),%rcx
0x000000000046aad6 <ngx_http_proxy_create_request+1462>: mov
0x190(%rdx),%rax
0x000000000046aadd <ngx_http_proxy_create_request+1469>: mov
%rcx,0x110(%rsp)
0x000000000046aae5 <ngx_http_proxy_create_request+1477>: mov
(%rax),%rax
0x000000000046aae8 <ngx_http_proxy_create_request+1480>: mov
%rax,0xc0(%rsp)
0x000000000046aaf0 <ngx_http_proxy_create_request+1488>: mov
0x8(%rbp),%rax
0x000000000046aaf4 <ngx_http_proxy_create_request+1492>: orb
$0x1,0x100(%rsp)
0x000000000046aafc <ngx_http_proxy_create_request+1500>: mov
%rax,0xc8(%rsp)
0x000000000046ab04 <ngx_http_proxy_create_request+1508>: mov
0x188(%rdx),%rax
0x000000000046ab0b <ngx_http_proxy_create_request+1515>: mov
(%rax),%rax
(continues)


Russell Howe
[email protected]