From 19a6b983b5b0b5efced39ec6128d67cae343ad53 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Fri, 14 Nov 2025 16:06:56 +0400
Subject: [PATCH] Request body: fixed empty body buffering special case.

Empty request body buffering is specially handled to avoid extra
write+seek syscalls as initially introduced in 4c7f51136 (0.4.4).
This was later broken in chunked body filter in 5fc85439d (1.3.9)
where rb->bufs cannot be NULL as it holds at least the final chunk,
and further regressed in length body filter in 2a7092138 (1.21.2)
where rb->bufs started to indicate the last buffer received.

The fix is to additionally check if it is the only empty buffer.

Found with UndefinedBehaviorSanitizer (pointer-overflow)
---
 src/http/ngx_http_request_body.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
index 93c69220c..42a43251d 100644
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -581,7 +581,9 @@ ngx_http_write_request_body(ngx_http_request_t *r)
 
         rb->temp_file = tf;
 
-        if (rb->bufs == NULL) {
+        if (rb->bufs == NULL
+            || (rb->bufs->buf->pos == NULL && rb->bufs->next == NULL))
+        {
             /* empty body with r->request_body_in_file_only */
 
             if (ngx_create_temp_file(&tf->file, tf->path, tf->pool,