[PATCH] Chunked filter: check if ctx is null

Jan Prachař jan.prachar at gmail.com
Wed Jan 3 18:53:00 UTC 2018

There exists a path which brings you to the body filter in the chunked
filter module while the module ctx is null, which results in segfault.

If during piping chunked response from upstream to downstream both
upstream and downstream error happens, internal redirect to a named
location is performed (accoring to the directive error_page) and
module's contexts cleared. If you have a lua handler in that location,
starts sending a body, because headers was already sent. A crash in the
chunked filter module follows, because ctx is NULL.

Maybe there is also a problem in the lua module and it should call
header filters first. Also maybe nginx should not perform internal
redirect, if part of the body was already sent.

But better safe than sorry :) I found that the same checks are in body
filters of other core modules too.

 nginx/src/http/modules/ngx_http_chunked_filter_module.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nginx/src/http/modules/ngx_http_chunked_filter_module.c
index 4d6fd3eed..c3d173b20 100644
--- a/nginx/src/http/modules/ngx_http_chunked_filter_module.c
+++ b/nginx/src/http/modules/ngx_http_chunked_filter_module.c
@@ -116,6 +116,9 @@ ngx_http_chunked_body_filter(ngx_http_request_t *r,
ngx_chain_t *in)
     ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module);
+    if (ctx == NULL) {
+        return ngx_http_next_body_filter(r, in);
+    }
     out = NULL;
     ll = &out;

More information about the nginx-devel mailing list