Mercurial > hg > nginx
comparison src/http/ngx_http_postpone_filter_module.c @ 7221:43585e0e12a3
Postpone filter: prevented uninitialized r->out.
The r->out chain link could be left uninitialized in case of error.
A segfault could happen if the subrequest handler accessed it.
The issue was introduced in commit 20f139e9ffa8.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Thu, 01 Mar 2018 18:38:39 +0300 |
| parents | 20f139e9ffa8 |
| children |
comparison
equal
deleted
inserted
replaced
| 7220:20f139e9ffa8 | 7221:43585e0e12a3 |
|---|---|
| 189 | 189 |
| 190 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, | 190 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, |
| 191 "http postpone filter in memory"); | 191 "http postpone filter in memory"); |
| 192 | 192 |
| 193 if (r->out == NULL) { | 193 if (r->out == NULL) { |
| 194 r->out = ngx_alloc_chain_link(r->pool); | |
| 195 if (r->out == NULL) { | |
| 196 return NGX_ERROR; | |
| 197 } | |
| 198 | |
| 199 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | 194 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); |
| 200 | 195 |
| 201 if (r->headers_out.content_length_n != -1) { | 196 if (r->headers_out.content_length_n != -1) { |
| 202 len = r->headers_out.content_length_n; | 197 len = r->headers_out.content_length_n; |
| 203 | 198 |
| 216 return NGX_ERROR; | 211 return NGX_ERROR; |
| 217 } | 212 } |
| 218 | 213 |
| 219 b->last_buf = 1; | 214 b->last_buf = 1; |
| 220 | 215 |
| 216 r->out = ngx_alloc_chain_link(r->pool); | |
| 217 if (r->out == NULL) { | |
| 218 return NGX_ERROR; | |
| 219 } | |
| 220 | |
| 221 r->out->buf = b; | 221 r->out->buf = b; |
| 222 r->out->next = NULL; | 222 r->out->next = NULL; |
| 223 } | 223 } |
| 224 | 224 |
| 225 b = r->out->buf; | 225 b = r->out->buf; |