Klaus Demo nginx / b5d0d7a
Event pipe: fixed buffer loss in p->length case. With previous code raw buffer might be lost if p->input_filter() was called on a buffer without any data and used ngx_event_pipe_add_free_buf() to return it to the free list. This eventually might cause "all buffers busy" problem, resulting in segmentation fault due to null pointer dereference in ngx_event_pipe_write_chain_to_temp_file(). In ngx_event_pipe_add_free_buf() the buffer was added to the list start due to pos == last, and then "p->free_raw_bufs = cl->next" in ngx_event_pipe_read_upstream() dropped both chain links to the buffer from the p->free_raw_bufs list. Fix is to move "p->free_raw_bufs = cl->next" before calling the p->input_filter(). Maxim Dounin 10 years ago
1 changed file(s) with 2 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
400400
401401 if (cl->buf->last - cl->buf->pos >= p->length) {
402402
403 p->free_raw_bufs = cl->next;
404
403405 /* STUB */ cl->buf->num = p->num++;
404406
405407 if (p->input_filter(p, cl->buf) == NGX_ERROR) {
406408 return NGX_ABORT;
407409 }
408410
409 p->free_raw_bufs = cl->next;
410411 ngx_free_chain(p->pool, cl);
411412 }
412413 }