Mercurial > hg > nginx

changeset 9326:75794cb1f5ea

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Request body: fixed segfault on early errors. The r->request_body might not be initialized on error handling in ngx_http_read_client_request_body(), notably if ngx_http_test_expect() or ngx_pcalloc() fail. After introduction of request body clearing in 9259:81082b5521dd (1.27.0), this caused segmentation fault due to NULL pointer dereference when clearing r->request_body->bufs. Fix is to explicitly check if r->request_body is available before clearing r->request_body->bufs. Reported by Jiří Setnička, http://freenginx.org/pipermail/nginx-devel/2024-August/000484.html
author Maxim Dounin <mdounin@mdounin.ru>
date Sat, 31 Aug 2024 03:55:10 +0300
parents 0086f8da5d8d
children 707736510a90
files src/http/ngx_http_request_body.c
diffstat 1 files changed, 4 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -245,7 +245,10 @@ done:
 
         r->lingering_close = 1;
         r->discard_body = 1;
-        r->request_body->bufs = NULL;
+
+        if (r->request_body) {
+            r->request_body->bufs = NULL;
+        }
 
         r->main->count--;
         r->read_event_handler = ngx_http_block_reading;