mirror
/
nginx
mirror of https://github.com/nginx/nginx
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Request body: fixed empty body buffering special case. 

Empty request body buffering is specially handled to avoid extra
write+seek syscalls as initially introduced in 4c7f51136 (0.4.4).
This was later broken in chunked body filter in 5fc85439d (1.3.9)
where rb->bufs cannot be NULL as it holds at least the final chunk,
and further regressed in length body filter in 2a7092138 (1.21.2)
where rb->bufs started to indicate the last buffer received.

The fix is to additionally check if it is the only empty buffer.

Found with UndefinedBehaviorSanitizer (pointer-overflow)
This commit is contained in:
Sergey Kandaurov 2025-11-14 16:06:56 +04:00
parent 9d04b6630a
commit 19a6b983b5
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/http/ngx_http_request_body.c
View File

@ -581,7 +581,9 @@ ngx_http_write_request_body(ngx_http_request_t *r)
rb->temp_file = tf;
if (rb->bufs == NULL) {
if (rb->bufs == NULL
|| (rb->bufs->buf->pos == NULL && rb->bufs->next == NULL))
{
/* empty body with r->request_body_in_file_only */
if (ngx_create_temp_file(&tf->file, tf->path, tf->pool,