# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1725065710 -10800
# Node ID 75794cb1f5eafd95f87519d365c9e85d1bd9419a
# Parent  0086f8da5d8daf83b74b78e8f512deb13a199b97
Request body: fixed segfault on early errors.

The r->request_body might not be initialized on error handling in
ngx_http_read_client_request_body(), notably if ngx_http_test_expect()
or ngx_pcalloc() fail.  After introduction of request body clearing
in 9259:81082b5521dd (1.27.0), this caused segmentation fault due to
NULL pointer dereference when clearing r->request_body->bufs.

Fix is to explicitly check if r->request_body is available before
clearing r->request_body->bufs.

Reported by Jiří Setnička,
http://freenginx.org/pipermail/nginx-devel/2024-August/000484.html

diff -r 0086f8da5d8d -r 75794cb1f5ea src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c	Sat Aug 31 00:30:44 2024 +0300
+++ b/src/http/ngx_http_request_body.c	Sat Aug 31 03:55:10 2024 +0300
@@ -245,7 +245,10 @@
 
         r->lingering_close = 1;
         r->discard_body = 1;
-        r->request_body->bufs = NULL;
+
+        if (r->request_body) {
+            r->request_body->bufs = NULL;
+        }
 
         r->main->count--;
         r->read_event_handler = ngx_http_block_reading;