Mercurial > hg > nginx
view src/event/ngx_event_mutex.c @ 4489:9806bf07d119
Event pipe: fixed buffer loss in p->length case.
With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list. This eventually might cause "all buffers busy"
problem, resulting in segmentation fault due to null pointer dereference in
ngx_event_pipe_write_chain_to_temp_file().
In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.
Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 22 Feb 2012 11:28:53 +0000 |
parents | d620f497c50f |
children | 3377f9459e99 |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_event.h> ngx_int_t ngx_event_mutex_timedlock(ngx_event_mutex_t *m, ngx_msec_t timer, ngx_event_t *ev) { ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0, "lock event mutex %p lock:%XD", m, m->lock); if (m->lock) { if (m->events == NULL) { m->events = ev; } else { m->last->next = ev; } m->last = ev; ev->next = NULL; #if (NGX_THREADS0) ev->light = 1; #endif ngx_add_timer(ev, timer); return NGX_AGAIN; } m->lock = 1; return NGX_OK; } ngx_int_t ngx_event_mutex_unlock(ngx_event_mutex_t *m, ngx_log_t *log) { ngx_event_t *ev; if (m->lock == 0) { ngx_log_error(NGX_LOG_ALERT, log, 0, "tring to unlock the free event mutex %p", m); return NGX_ERROR; } ngx_log_debug2(NGX_LOG_DEBUG_EVENT, log, 0, "unlock event mutex %p, next event: %p", m, m->events); m->lock = 0; if (m->events) { ev = m->events; m->events = ev->next; ev->next = (ngx_event_t *) ngx_posted_events; ngx_posted_events = ev; } return NGX_OK; }