Core: skip special buffers on writing (ticket #981).

A special last buffer with cl->buf->pos set to NULL can be present in a chain when writing request body if chunked encoding was used. This resulted in a NULL pointer dereference if it happened to be the only buffer left after a do...while loop iteration in ngx_write_chain_to_file(). The problem originally appeared in nginx 1.3.9 with chunked encoding support. Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the minimum number of buffers to trigger this from IOV_MAX (typically 1024) to NGX_IOVS_PREALLOCATE (typically 64). Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is done in other places.
2016-05-31 05:13:30 +03:00 · 2016-05-31 05:13:30 +03:00 · f3918385a9
parent 62c778b7ae
commit f3918385a9
1 changed files with 5 additions and 0 deletions
--- a/src/os/unix/ngx_files.c
+++ b/src/os/unix/ngx_files.c
@ -356,6 +356,11 @@ ngx_chain_to_iovec(ngx_iovec_t *vec, ngx_chain_t *cl)
    n = 0;

    for ( /* void */ ; cl; cl = cl->next) {
+
+        if (ngx_buf_special(cl->buf)) {
+            continue;
+        }
+
        size = cl->buf->last - cl->buf->pos;

        if (prev == cl->buf->pos) {