Core: skip special buffers on writing (ticket #981).

A special last buffer with cl->buf->pos set to NULL can be present in a chain when writing request body if chunked encoding was used. This resulted in a NULL pointer dereference if it happened to be the only buffer left after a do...while loop iteration in ngx_write_chain_to_file(). The problem originally appeared in nginx 1.3.9 with chunked encoding support. Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the minimum number of buffers to trigger this from IOV_MAX (typically 1024) to NGX_IOVS_PREALLOCATE (typically 64). Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is done in other places.
author: Maxim Dounin <mdounin@mdounin.ru> 2016-05-31 05:13:30 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2016-05-31 05:13:30 +0300
commit: 969105accdcc3df885082a90012eb5cc8f31d5b7 (patch)
tree: 1f18de9d677f480cfd8882106c27d2d7ecf4a420
parent: 91c1a88b46aad82eeaf3adefb632320c10284791 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/os/unix/ngx_files.c b/src/os/unix/ngx_files.c
index 65c79a241..7fbb7c9a7 100644
--- a/src/os/unix/ngx_files.c
+++ b/src/os/unix/ngx_files.c
@@ -356,6 +356,11 @@ ngx_chain_to_iovec(ngx_iovec_t *vec, ngx_chain_t *cl)
     n = 0;
 
     for ( /* void */ ; cl; cl = cl->next) {
+
+        if (ngx_buf_special(cl->buf)) {
+            continue;
+        }
+
         size = cl->buf->last - cl->buf->pos;
 
         if (prev == cl->buf->pos) {
author	Maxim Dounin <mdounin@mdounin.ru>	2016-05-31 05:13:30 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2016-05-31 05:13:30 +0300
commit	969105accdcc3df885082a90012eb5cc8f31d5b7 (patch)
tree	1f18de9d677f480cfd8882106c27d2d7ecf4a420
parent	91c1a88b46aad82eeaf3adefb632320c10284791 (diff)