Mercurial > hg > nginx
comparison src/http/ngx_http_postpone_filter_module.c @ 7221:43585e0e12a3
Postpone filter: prevented uninitialized r->out.
The r->out chain link could be left uninitialized in case of error.
A segfault could happen if the subrequest handler accessed it.
The issue was introduced in commit 20f139e9ffa8.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Thu, 01 Mar 2018 18:38:39 +0300 |
parents | 20f139e9ffa8 |
children |
comparison
equal
deleted
inserted
replaced
7220:20f139e9ffa8 | 7221:43585e0e12a3 |
---|---|
189 | 189 |
190 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, | 190 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, |
191 "http postpone filter in memory"); | 191 "http postpone filter in memory"); |
192 | 192 |
193 if (r->out == NULL) { | 193 if (r->out == NULL) { |
194 r->out = ngx_alloc_chain_link(r->pool); | |
195 if (r->out == NULL) { | |
196 return NGX_ERROR; | |
197 } | |
198 | |
199 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | 194 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); |
200 | 195 |
201 if (r->headers_out.content_length_n != -1) { | 196 if (r->headers_out.content_length_n != -1) { |
202 len = r->headers_out.content_length_n; | 197 len = r->headers_out.content_length_n; |
203 | 198 |
216 return NGX_ERROR; | 211 return NGX_ERROR; |
217 } | 212 } |
218 | 213 |
219 b->last_buf = 1; | 214 b->last_buf = 1; |
220 | 215 |
216 r->out = ngx_alloc_chain_link(r->pool); | |
217 if (r->out == NULL) { | |
218 return NGX_ERROR; | |
219 } | |
220 | |
221 r->out->buf = b; | 221 r->out->buf = b; |
222 r->out->next = NULL; | 222 r->out->next = NULL; |
223 } | 223 } |
224 | 224 |
225 b = r->out->buf; | 225 b = r->out->buf; |