Mercurial > hg > nginx

changeset 4936:240e3fb392c9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Request body: error checking fixes, negative rb->rest handling. Negative rb->rest can't happen with current code, but it's good to have it handled anyway. Found by Coverity (CID 744846, 744847, 744848).
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 26 Nov 2012 18:01:08 +0000
parents 7bd1c839af3b
children 3b6594a2b79f
files src/http/ngx_http_request_body.c
diffstat 1 files changed, 11 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -134,6 +134,13 @@ ngx_http_read_client_request_body(ngx_ht
         return NGX_OK;
     }
 
+    if (rb->rest < 0) {
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                      "negative request body rest");
+        rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+        goto done;
+    }
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     size = clcf->client_body_buffer_size;
@@ -643,7 +650,7 @@ ngx_http_discard_request_body_filter(ngx
             }
 
             rb->chunked = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_t));
-            if (rb == NULL) {
+            if (rb->chunked == NULL) {
                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
             }
 
@@ -1022,7 +1029,9 @@ ngx_http_request_body_save_filter(ngx_ht
 
     /* TODO: coalesce neighbouring buffers */
 
-    ngx_chain_add_copy(r->pool, &rb->bufs, in);
+    if (ngx_chain_add_copy(r->pool, &rb->bufs, in) != NGX_OK) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     return NGX_OK;
 }