[nginx] HTTP/2: enforce writing the sync request body buffer to file.

Valentin Bartenev vbart at nginx.com
Wed Oct 4 18:15:41 UTC 2017 

details:   http://hg.nginx.org/nginx/rev/b6dc472299da
branches:  
changeset: 7118:b6dc472299da
user:      Valentin Bartenev <vbart at nginx.com>
date:      Wed Oct 04 21:15:15 2017 +0300
description:
HTTP/2: enforce writing the sync request body buffer to file.

The sync flag of HTTP/2 request body buffer is used when the size of request
body is unknown or bigger than configured "client_body_buffer_size".  In this
case the buffer points to body data inside the global receive buffer that is
used for reading all HTTP/2 connections in the worker process.  Thus, when the
sync flag is set, the buffer must be flushed to a temporary file, otherwise
the request body data can be overwritten.

Previously, the sync buffer wasn't flushed to a temporary file if the whole
body was received in one DATA frame with the END_STREAM flag and wasn't
copied into the HTTP/2 body preread buffer.  As a result, the request body
might be corrupted (ticket #1384).

Now, setting r->request_body_in_file_only enforces writing the sync buffer
to a temporary file in all cases.

diffstat:

 src/http/v2/ngx_http_v2.c |  7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diffs (24 lines):

diff -r dbd77a638eb7 -r b6dc472299da src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Tue Oct 03 18:19:27 2017 +0300
+++ b/src/http/v2/ngx_http_v2.c	Wed Oct 04 21:15:15 2017 +0300
@@ -3589,11 +3589,6 @@ ngx_http_v2_read_request_body(ngx_http_r
         rb->buf = ngx_create_temp_buf(r->pool, (size_t) len);
 
     } else {
-        if (stream->preread) {
-            /* enforce writing preread buffer to file */
-            r->request_body_in_file_only = 1;
-        }
-
         rb->buf = ngx_calloc_buf(r->pool);
 
         if (rb->buf != NULL) {
@@ -3694,6 +3689,8 @@ ngx_http_v2_process_request_body(ngx_htt
             buf->pos = buf->start = pos;
             buf->last = buf->end = pos + size;
 
+            r->request_body_in_file_only = 1;
+
         } else {
             if (size > (size_t) (buf->end - buf->last)) {
                 ngx_log_error(NGX_LOG_INFO, fc->log, 0,

More information about the nginx-devel mailing list