Skip to content
This repository has been archived by the owner on May 29, 2023. It is now read-only.

Incomplete body reading #140

Open
CorefLava opened this issue Jun 29, 2020 · 0 comments
Open

Incomplete body reading #140

CorefLava opened this issue Jun 29, 2020 · 0 comments

Comments

@CorefLava
Copy link

Hi, recently some trouble pushed me to look into function ngx_http_dyups_read_body and find these codes:

    cl = r->request_body->bufs;
    buf = cl->buf;

    if (cl->next == NULL) {

        return buf;

    } else {

        next = cl->next->buf;
        len = (buf->last - buf->pos) + (next->last - next->pos);

        body = ngx_create_temp_buf(r->pool, len);
        if (body == NULL) {
            return NULL;
        }

        body->last = ngx_cpymem(body->last, buf->pos, buf->last - buf->pos);
        body->last = ngx_cpymem(body->last, next->pos, next->last - next->pos);
    }

In the code above, dyups may only read the first two parts of buf chain, and the peril is, may cause body data incomplete, comparing with ngx_http_variable_request_body in ngx_http_variables.c:

    len = buf->last - buf->pos;
    cl = cl->next;

    for ( /* void */ ; cl; cl = cl->next) {
        buf = cl->buf;
        len += buf->last - buf->pos;
    }

    p = ngx_pnalloc(r->pool, len);
    if (p == NULL) {
        return NGX_ERROR;
    }

    v->data = p;
    cl = r->request_body->bufs;

    for ( /* void */ ; cl; cl = cl->next) {
        buf = cl->buf;
        p = ngx_cpymem(p, buf->pos, buf->last - buf->pos);
    }

Imo, if body reading ceases at some coincidence place, dyups syncing may succeed and cause unexpected problems.

So ist a bug? Or else why its safe?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CorefLava