# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1464660810 -10800
# Node ID 0ac0575e955dc0bd394f86ea2d5bf4c9da939dba
# Parent  9809d3833cc0288d6f35e5d9c58ef36d0fc1cbeb
Core: skip special buffers on writing (ticket #981).

A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.

diff --git a/src/os/unix/ngx_files.c b/src/os/unix/ngx_files.c
--- a/src/os/unix/ngx_files.c
+++ b/src/os/unix/ngx_files.c
@@ -356,6 +356,11 @@ ngx_chain_to_iovec(ngx_iovec_t *vec, ngx
     n = 0;
 
     for ( /* void */ ; cl; cl = cl->next) {
+
+        if (ngx_buf_special(cl->buf)) {
+            continue;
+        }
+
         size = cl->buf->last - cl->buf->pos;
 
         if (prev == cl->buf->pos) {