Request body: error checking fixes, negative rb->rest handling.

Negative rb->rest can't happen with current code, but it's good to have
it handled anyway.

Found by Coverity (CID 744846, 744847, 744848).

diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
index 0b2f89ff538b9101a065ca8d962a2f026247d9b4..2735034a18dc107b19435df2115e527ca4b1e36d 100644 (file)
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -134,6 +134,13 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
         return NGX_OK;
     }
 
+    if (rb->rest < 0) {
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                      "negative request body rest");
+        rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+        goto done;
+    }
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     size = clcf->client_body_buffer_size;
@@ -643,7 +650,7 @@ ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b)
             }
 
             rb->chunked = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_t));
-            if (rb == NULL) {
+            if (rb->chunked == NULL) {
                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
             }
 
@@ -1022,7 +1029,9 @@ ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in)
 
     /* TODO: coalesce neighbouring buffers */
 
-    ngx_chain_add_copy(r->pool, &rb->bufs, in);
+    if (ngx_chain_add_copy(r->pool, &rb->bufs, in) != NGX_OK) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
 
     return NGX_OK;
 }