Re: Segmentation fault в DAV модуле

Arnaud GRANAL serphen at gmail.com
Mon Nov 19 15:40:05 UTC 2012


2012/11/19 Dmitry Petrov <dmitry.petroff at gmail.com>

> Здравствуйте.
>
>
Hey,


> При использовании iphonовского клиента наткнулся на устойчивые падения в
> DAV модуле такого характера (бактрейс для nginx-1.2.1 с парой отладочных
> printf-ов, общая картина в 1.3.8 та же самая):
> #0  0x08057494 in ngx_ext_rename_file (src=0x4, to=0xbfb3af54,
> ext=0xbfb3aedc) at src/core/ngx_file.c:545
> #1  0x080bb8ee in ngx_http_dav_put_handler (r=0x8c71598) at
> src/http/modules/ngx_http_dav_module.c:262
> #2  0x0809590e in ngx_http_read_client_request_body (r=0x8c71598,
> post_handler=0x80bb64b <ngx_http_dav_put_handler>) at
> src/http/ngx_http_request_body.c:44
> [...]
>
> Для меня все починилось дополнительной проверкой на NULL
> r->request_body->temp_file (патч для 1.3.8 прилагается). Не знаю насколько
> идеологически правилен этот фикс, но проблему с падением решает.
>
>
I guess it was fixed in a recent commit by Maxim:

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1352393278 -14400
# Node ID c26606971d58dd27df5f72b9fcf90bc883038d76
# Parent  1b2abbd52edc283f69c7513a6cb5406f7913ecae
Dav: fixed segfault on PUT if body was already read (ticket #238).

If request body reading happens with different options it's possible
that there will be no r->request_body->temp_file available (or even
no r->request_body available if body was discarded).  Return internal
server error in this case instead of committing suicide by dereferencing
a null pointer.

diff --git a/src/http/modules/ngx_http_dav_module.c
b/src/http/modules/ngx_http_dav_module.c
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -209,6 +209,11 @@ ngx_http_dav_put_handler(ngx_http_reques
     ngx_ext_rename_file_t     ext;
     ngx_http_dav_loc_conf_t  *dlcf;

+    if (r->request_body == NULL || r->request_body->temp_file == NULL) {
+        ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        return;
+    }
+
     ngx_http_map_uri_to_path(r, &path, &root, 0);

     path.len--;

Arnaud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20121119/dc57183f/attachment.html>


More information about the nginx-devel mailing list