[nginx] Request body: fixed segfault on early errors.
Maxim Dounin
mdounin at mdounin.ru
Sat Aug 31 02:33:11 UTC 2024
details: http://freenginx.org/hg/nginx/rev/75794cb1f5ea
branches:
changeset: 9326:75794cb1f5ea
user: Maxim Dounin <mdounin at mdounin.ru>
date: Sat Aug 31 03:55:10 2024 +0300
description:
Request body: fixed segfault on early errors.
The r->request_body might not be initialized on error handling in
ngx_http_read_client_request_body(), notably if ngx_http_test_expect()
or ngx_pcalloc() fail. After introduction of request body clearing
in 9259:81082b5521dd (1.27.0), this caused segmentation fault due to
NULL pointer dereference when clearing r->request_body->bufs.
Fix is to explicitly check if r->request_body is available before
clearing r->request_body->bufs.
Reported by Jiří Setnička,
http://freenginx.org/pipermail/nginx-devel/2024-August/000484.html
diffstat:
src/http/ngx_http_request_body.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diffs (15 lines):
diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -245,7 +245,10 @@ done:
r->lingering_close = 1;
r->discard_body = 1;
- r->request_body->bufs = NULL;
+
+ if (r->request_body) {
+ r->request_body->bufs = NULL;
+ }
r->main->count--;
r->read_event_handler = ngx_http_block_reading;
More information about the nginx-devel
mailing list