Event pipe: fixed buffer loss in p->length case.

With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list.  This eventually might cause "all buffers busy"
problem, resulting in segmentation fault due to null pointer dereference in
ngx_event_pipe_write_chain_to_temp_file().

In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.

Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().

1 files changed, 2 insertions, 1 deletions

diff --git a/src/event/ngx_event_pipe.c b/src/event/ngx_event_pipe.c
index 62358ead1..b959ff4ff 100644
--- a/src/event/ngx_event_pipe.c
+++ b/src/event/ngx_event_pipe.c
@@ -401,13 +401,14 @@ ngx_event_pipe_read_upstream(ngx_event_pipe_t *p)
 
         if (cl->buf->last - cl->buf->pos >= p->length) {
 
+            p->free_raw_bufs = cl->next;
+
             /* STUB */ cl->buf->num = p->num++;
 
             if (p->input_filter(p, cl->buf) == NGX_ERROR) {
                  return NGX_ABORT;
             }
 
-            p->free_raw_bufs = cl->next;
             ngx_free_chain(p->pool, cl);
         }
     }