From e952e134fa3ddb80d6e19946858bfca34219dffa Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Tue, 17 Mar 2026 00:05:17 +0800 Subject: [PATCH 1/2] bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle is set --- src/ngx_http_lua_initworkerby.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c index edb68df08a..d199635fd4 100644 --- a/src/ngx_http_lua_initworkerby.c +++ b/src/ngx_http_lua_initworkerby.c @@ -115,6 +115,18 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) ngx_memcpy(fake_cycle, cycle, sizeof(ngx_cycle_t)); + /* + * nginx clears cycle->old_cycle after ngx_init_cycle() completes. + * Since nginx 1.29.2, ngx_ssl_cache_fetch() accesses old_cycle->conf_ctx + * without a NULL guard, so we must ensure old_cycle is non-NULL to avoid + * a NULL dereference when merge_loc_conf triggers ngx_ssl_trusted_certificate. + * Pointing to the current cycle is safe: the SSL cache is shared via + * conf_ctx, so cert lookups will still find previously loaded entries. + */ + if (fake_cycle->old_cycle == NULL) { + fake_cycle->old_cycle = cycle; + } + ngx_queue_init(&fake_cycle->reusable_connections_queue); if (ngx_array_init(&fake_cycle->listening, cycle->pool, From 3ba3da1da6741dc629d73e40c2740c8a7de074b8 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Tue, 17 Mar 2026 00:15:28 +0800 Subject: [PATCH 2/2] fix --- src/ngx_http_lua_initworkerby.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c index d199635fd4..c75d6a87eb 100644 --- a/src/ngx_http_lua_initworkerby.c +++ b/src/ngx_http_lua_initworkerby.c @@ -118,10 +118,11 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) /* * nginx clears cycle->old_cycle after ngx_init_cycle() completes. * Since nginx 1.29.2, ngx_ssl_cache_fetch() accesses old_cycle->conf_ctx - * without a NULL guard, so we must ensure old_cycle is non-NULL to avoid - * a NULL dereference when merge_loc_conf triggers ngx_ssl_trusted_certificate. + * without a NULL guard, so we must ensure old_cycle is non-NULL. + * This avoids a NULL dereference when merge_loc_conf triggers + * ngx_ssl_trusted_certificate. * Pointing to the current cycle is safe: the SSL cache is shared via - * conf_ctx, so cert lookups will still find previously loaded entries. + * conf_ctx, so cert lookups still find previously loaded entries. */ if (fake_cycle->old_cycle == NULL) { fake_cycle->old_cycle = cycle;