Stale data after auto_reload on same IP lookup #134
Description
When auto_reload is enabled, ngx_http_geoip2_module can return stale or incorrect GeoIP data if the same IP address is queried immediately after a GeoIP database reload.
Problem Details:
The module caches the last queried IP (database->address) and its lookup result (database->result) (see lines 210-229). During an auto_reload (lines 761-776), the database->mmdb instance is updated, but database->address and database->result are not reset.
If the next request is for the same IP, the module finds a match with the cached database->address and skips a fresh MMDB_lookup_sockaddr. It then attempts to use the stale database->result.entry (from the old, closed database context) with the new database->mmdb instance. This can lead to MMDB_aget_value using invalid offsets or pointers, returning incorrect data.
Steps to Reproduce:
- Enable auto_reload in the Nginx configuration.
- Make a request that performs a GeoIP lookup for IP_A (its result is now cached).
- Trigger a GeoIP database file update, causing an auto_reload.
- Make another request for the same IP_A.
Expected Result:
Correct GeoIP data for IP_A is returned from the newly reloaded database.
Actual Result:
Stale or incorrect GeoIP data for IP_A is returned.
Suggested Fix:
In the auto_reload logic, after the new database is loaded (i.e., after database->mmdb = tmpdb; around line 776), explicitly reset the cached address. For example:
ngx_memzero(&database->address, sizeof(database->address));
This will force a fresh MMDB_lookup_sockaddr on the next request, even if the IP is the same as the previously cached one.