Mercurial > hg > nginx
changeset 9326:75794cb1f5ea
Request body: fixed segfault on early errors.
The r->request_body might not be initialized on error handling in
ngx_http_read_client_request_body(), notably if ngx_http_test_expect()
or ngx_pcalloc() fail. After introduction of request body clearing
in 9259:81082b5521dd (1.27.0), this caused segmentation fault due to
NULL pointer dereference when clearing r->request_body->bufs.
Fix is to explicitly check if r->request_body is available before
clearing r->request_body->bufs.
Reported by Jiří Setnička,
http://freenginx.org/pipermail/nginx-devel/2024-August/000484.html
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 31 Aug 2024 03:55:10 +0300 |
parents | 0086f8da5d8d |
children | 707736510a90 |
files | src/http/ngx_http_request_body.c |
diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -245,7 +245,10 @@ done: r->lingering_close = 1; r->discard_body = 1; - r->request_body->bufs = NULL; + + if (r->request_body) { + r->request_body->bufs = NULL; + } r->main->count--; r->read_event_handler = ngx_http_block_reading;