id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 269 DAV crash if reading body would block Bryan Berg "I think I've found a bug in the DAV module related to body reads. Under 1.2.5, this causes a segfault in the worker handling the request. The patch in 1.2.6 fixes the segfault, but nginx returns a 500 when the PUT could reasonably complete. Applying the supplied patch causes the PUT to complete without issue. I've attached a sample config as well as a script which can reproduce the issue. The appearance of the bug is sensitive to timing, so generating some load on the server under test can raise the odds that you experience it. (In my VM, PUTing over the network while running a tcpdump is good enough.) First, open a connection and GET a file. Then, on the same connection, PUT a file. The code to read the body doesn't properly handle the case in which the body is not immediately available. If the read() call returns NGX_AGAIN while reading the body, ngx_http_dav_handler() swallows the return code and returns NGX_DONE. This leaves the request in an inconsistent state (where r->request_body->temp_file is NULL or garbage) and causes the crash or 500. If instead ngx_http_dav_handler() recognizes the return code and returns NGX_AGAIN, the read event gets properly scheduled and the upload completes. We've been running this patch in production for a little while now, and it seems to work fine. I haven't had a chance to test this against [4938] as it doesn't look like it was merged back to 1.2. " defect closed minor nginx-module 1.2.x wontfix dav put Linux gelid-goose 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.2.6 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/home/andrew/packages/nginx/nginx-1.2.6/debian/modules/nginx-auth-pam --add-module=/home/andrew/packages/nginx/nginx-1.2.6/debian/modules/nginx-echo --add-module=/home/andrew/packages/nginx/nginx-1.2.6/debian/modules/nginx-upstream-fair --add-module=/home/andrew/packages/nginx/nginx-1.2.6/debian/modules/nginx-dav-ext-module --add-module=/home/andrew/packages/nginx/nginx-1.2.6/debian/modules/nginx-upload-module"