Author: mdounin
Date: 2012-02-22 11:28:53 +0000 (Wed, 22 Feb 2012)
New Revision: 4490

Log:
Event pipe: fixed buffer loss in p->length case.

With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list. This eventually might cause "all buffers busy"
problem, resulting in segmentation fault due to null pointer dereference in
ngx_event_pipe_write_chain_to_temp_file().

In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.

Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().


Modified:
trunk/src/event/ngx_event_pipe.c

Modified: trunk/src/event/ngx_event_pipe.c
===================================================================
--- trunk/src/event/ngx_event_pipe.c 2012-02-21 15:10:13 UTC (rev 4489)
+++ trunk/src/event/ngx_event_pipe.c 2012-02-22 11:28:53 UTC (rev 4490)
@@ -401,13 +401,14 @@

if (cl->buf->last - cl->buf->pos >= p->length) {

+ p->free_raw_bufs = cl->next;
+
/* STUB */ cl->buf->num = p->num++;

if (p->input_filter(p, cl->buf) == NGX_ERROR) {
return NGX_ABORT;
}

- p->free_raw_bufs = cl->next;
ngx_free_chain(p->pool, cl);
}
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel