Hello.<br><br>Finally I was able to make a test that reproduces bug 100% of time.<br>Here it is (nginx sources included): <a href="http://rghost.net/41694908">http://rghost.net/41694908</a><br>You need to:<br>1. tar zxf nginx-webdav-segfault.tar.gz<br>
2. cd dav-bug/nginx-1.3.8<br>3. ./cf — this will configure nginx with needed modules and /tmp as prefix<br>4. cd ..<br>5. In one console start nginx via 'make r' command. It will automatically use dav.conf which will start nginx on <a href="http://0.0.0.0:8080">0.0.0.0:8080</a><br>
6. Attach to nginx process: gdb --pid `pgrep -n nginx`<br>7. Execute make — this will launch test trying to connect to localhost:8080, upload some files etc. Make sure that 8181 port is free before running test case - it create dummy "HTTP server" that simply ignores all requests. I wasn't able to get this bug without proxy_pass'es between webdav PUT's.<br>
8. Monitor console where you've started gdb - you will get SIGSEGV here<br>The symptoms of the crash are the same as I described earlier: r->request_body is not NULL, set from some kind of previous request. r->request_body->temp_file is NULL.<br>
<br>This test case just replaying dump recorded from Iphone HTTP session using TCP_CORK to achive exactly the same packets send (with scrambled payload ofc).<br><br>Hope this helps.<br><br><div class="gmail_quote">On Tue, Nov 20, 2012 at 1:21 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<div class="im"><br>
On Tue, Nov 20, 2012 at 12:05:07PM +0300, Dmitry Petrov wrote:<br>
<br>
> On Mon, Nov 19, 2012 at 7:40 PM, Arnaud GRANAL <<a href="mailto:serphen@gmail.com">serphen@gmail.com</a>> wrote:<br>
><br>
> > I guess it was fixed in a recent commit by Maxim:<br>
> > [..]<br>
> > diff --git a/src/http/modules/ngx_http_dav_module.c<br>
> > b/src/http/modules/ngx_http_dav_module.c<br>
> > --- a/src/http/modules/ngx_http_dav_module.c<br>
> > +++ b/src/http/modules/ngx_http_dav_module.c<br>
> > @@ -209,6 +209,11 @@ ngx_http_dav_put_handler(ngx_http_reques<br>
> > ngx_ext_rename_file_t ext;<br>
> > ngx_http_dav_loc_conf_t *dlcf;<br>
> ><br>
> > + if (r->request_body == NULL || r->request_body->temp_file == NULL) {<br>
> > + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);<br>
> > + return;<br>
> > + }<br>
> > +<br>
> > ngx_http_map_uri_to_path(r, &path, &root, 0);<br>
> ><br>
> > path.len--;<br>
> ><br>
> The problem is that I got this behavior on sequential valid PUT requests.<br>
> After handling first request, nginx even doesn't try to read body of next<br>
> request. It just calls ngx_http_dav_put_handler with r->response_body from<br>
<br>
</div>It looks like this is a generic request body handling problem,<br>
which leads to incorrect body processing if an extra write event<br>
happens during request body reading.<br>
<br>
The patch quoted will fix resulting segfault in dav module (which<br>
may also happen in other conditions), but the underlying problem<br>
also needs to be fixed. If you have a test case to reproduce the<br>
problem it might be helpful.<br>
<div class="im"><br>
> previous request but with r->response_body->temp_file set to NULL. With<br>
> extra check for temp_file not being NULL nginx actually reads second<br>
> request body and handles it properly.<br>
<br>
</div>The extra check you've added isn't correct as<br>
r->response_body->temp_file may be NULL for valid reasons, e.g.<br>
request body reading is done by a normal module like proxy, which<br>
doesn't require request body to be in file.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.com/support.html" target="_blank">http://nginx.com/support.html</a><br>
<br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Dmitry<br><br>