Re: Segmentation fault в DAV модуле
Arnaud GRANAL
serphen at gmail.com
Mon Nov 19 15:40:05 UTC 2012
2012/11/19 Dmitry Petrov <dmitry.petroff at gmail.com>
> Здравствуйте.
>
>
Hey,
> При использовании iphonовского клиента наткнулся на устойчивые падения в
> DAV модуле такого характера (бактрейс для nginx-1.2.1 с парой отладочных
> printf-ов, общая картина в 1.3.8 та же самая):
> #0 0x08057494 in ngx_ext_rename_file (src=0x4, to=0xbfb3af54,
> ext=0xbfb3aedc) at src/core/ngx_file.c:545
> #1 0x080bb8ee in ngx_http_dav_put_handler (r=0x8c71598) at
> src/http/modules/ngx_http_dav_module.c:262
> #2 0x0809590e in ngx_http_read_client_request_body (r=0x8c71598,
> post_handler=0x80bb64b <ngx_http_dav_put_handler>) at
> src/http/ngx_http_request_body.c:44
> [...]
>
> Для меня все починилось дополнительной проверкой на NULL
> r->request_body->temp_file (патч для 1.3.8 прилагается). Не знаю насколько
> идеологически правилен этот фикс, но проблему с падением решает.
>
>
I guess it was fixed in a recent commit by Maxim:
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1352393278 -14400
# Node ID c26606971d58dd27df5f72b9fcf90bc883038d76
# Parent 1b2abbd52edc283f69c7513a6cb5406f7913ecae
Dav: fixed segfault on PUT if body was already read (ticket #238).
If request body reading happens with different options it's possible
that there will be no r->request_body->temp_file available (or even
no r->request_body available if body was discarded). Return internal
server error in this case instead of committing suicide by dereferencing
a null pointer.
diff --git a/src/http/modules/ngx_http_dav_module.c
b/src/http/modules/ngx_http_dav_module.c
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -209,6 +209,11 @@ ngx_http_dav_put_handler(ngx_http_reques
ngx_ext_rename_file_t ext;
ngx_http_dav_loc_conf_t *dlcf;
+ if (r->request_body == NULL || r->request_body->temp_file == NULL) {
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
ngx_http_map_uri_to_path(r, &path, &root, 0);
path.len--;
Arnaud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20121119/dc57183f/attachment.html>
More information about the nginx-devel
mailing list