Mercurial > hg > nginx
view src/event/ngx_event_busy_lock.h @ 4489:9806bf07d119
Event pipe: fixed buffer loss in p->length case.
With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list. This eventually might cause "all buffers busy"
problem, resulting in segmentation fault due to null pointer dereference in
ngx_event_pipe_write_chain_to_temp_file().
In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.
Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 22 Feb 2012 11:28:53 +0000 |
parents | d620f497c50f |
children | 457ec43dd8d5 |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_EVENT_BUSY_LOCK_H_INCLUDED_ #define _NGX_EVENT_BUSY_LOCK_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_event.h> typedef struct ngx_event_busy_lock_ctx_s ngx_event_busy_lock_ctx_t; struct ngx_event_busy_lock_ctx_s { ngx_event_t *event; ngx_event_handler_pt handler; void *data; ngx_msec_t timer; unsigned locked:1; unsigned waiting:1; unsigned cache_updated:1; char *md5; ngx_int_t slot; ngx_event_busy_lock_ctx_t *next; }; typedef struct { u_char *md5_mask; char *md5; ngx_uint_t cacheable; ngx_uint_t busy; ngx_uint_t max_busy; ngx_uint_t waiting; ngx_uint_t max_waiting; ngx_event_busy_lock_ctx_t *events; ngx_event_busy_lock_ctx_t *last; #if (NGX_THREADS) ngx_mutex_t *mutex; #endif } ngx_event_busy_lock_t; ngx_int_t ngx_event_busy_lock(ngx_event_busy_lock_t *bl, ngx_event_busy_lock_ctx_t *ctx); ngx_int_t ngx_event_busy_lock_cacheable(ngx_event_busy_lock_t *bl, ngx_event_busy_lock_ctx_t *ctx); void ngx_event_busy_unlock(ngx_event_busy_lock_t *bl, ngx_event_busy_lock_ctx_t *ctx); void ngx_event_busy_lock_cancel(ngx_event_busy_lock_t *bl, ngx_event_busy_lock_ctx_t *ctx); #endif /* _NGX_EVENT_BUSY_LOCK_H_INCLUDED_ */