bugfix: prevent SIGSEGV in receiveuntil __gc on aborted multipart upload.

climagabriel · climagabriel · commit 6335e7684777 · 2026-05-25T07:23:57.000Z
A client that POSTs a multipart body and aborts the connection mid-pattern against ngx.req.socket():receiveuntil(boundary) can SIGSEGV the worker from the LuaJIT GC's __gc finalizer on the compiled-pattern userdata. ngx_http_lua_socket_read_error_retval_handler calls ngx_http_lua_socket_tcp_finalize_read_part directly when the receiveuntil iterator's recv returns an error (e.g. client RST). finalize_read_part clears u->buf_in / u->bufs_in and memzeros u->buffer, but does not detach the compiled-pattern userdata held in u->input_filter_ctx -- so cp->upstream stays pointing at u and cp->state stays > 0 (the DFA stopped mid-match). Later, when LuaJIT GC sweeps the cp userdata, ngx_http_lua_socket_cleanup_compiled_pattern fires and calls ngx_http_lua_socket_tcp_read_prepare(r, u, NULL). cp->state > 0 forces the recovery branches that read u->buf_in->buf->pos -- a NULL deref. Belt-and-braces fix in two places: - read_prepare: bail when u->buf_in == NULL after the cp->state check, before the recovery branches that would deref it. - finalize_read_part: clear cp->upstream, mirroring the same detach that ngx_http_lua_socket_tcp_finalize already performs. This short-circuits the __gc handler at its existing `if (u != NULL)` guard, so the bad code path is never entered. Reproducer: POST a multipart body that ends mid-boundary, then close the socket with SO_LINGER {1,0} so the server reads RST while the DFA is mid-match. Lua handler does: local sock = ngx.req.socket() local iter = sock:receiveuntil("--" .. BOUNDARY) while true do local d = iter(1) if not d then break end end collectgarbage("collect") With the body shaped as six leading dashes against a 12-dash boundary leader, cp->state lands at 6 with no DFA fallback, and the synchronous collectgarbage runs cp's __gc inside the request -- 100% crash rate. Crash signature: #0 ngx_http_lua_socket_tcp_read_prepare (data=0x0) [inlined memcpy at ngx_http_lua_socket_tcp.c, recovery branch, u->buf_in == NULL] #1 ngx_http_lua_socket_cleanup_compiled_pattern ngx_http_lua_socket_tcp.c #2 lj_BC_FUNCC buildvm_x86.dasc #3 gc_call_finalizer lj_gc.c #4 gc_finalize lj_gc.c #5 gc_onestep lj_gc.c #6 lj_gc_fullgc lj_gc.c #7 lua_gc (what=LUA_GCCOLLECT) lj_api.c #8 lj_cf_collectgarbage lib_base.c #9 lj_BC_FUNCC buildvm_x86.dasc #10 ngx_http_lua_run_thread ngx_http_lua_util.c #11 ngx_http_lua_socket_tcp_resume_helper ngx_http_lua_socket_tcp.c #12 ngx_http_lua_socket_tcp_read ngx_http_lua_socket_tcp.c #13 ngx_http_request_handler src/http/ngx_http_request.c
diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c
@@ -2803,6 +2803,13 @@ ngx_http_lua_socket_tcp_read_prepare(ngx_http_request_t *r,
         return;
     }
 
+    /* finalize_read_part may have cleared u->buf_in before the
+     * compiled-pattern userdata's __gc runs; the recovery branches
+     * below would NULL-deref u->buf_in->buf->pos. */
+    if (u->buf_in == NULL) {
+        return;
+    }
+
     b = &u->buffer;
 
     if (b->pos - b->start >= cp->state) {
@@ -4203,6 +4210,14 @@ ngx_http_lua_socket_tcp_finalize_read_part(ngx_http_request_t *r,
         ngx_memzero(&u->buffer, sizeof(ngx_buf_t));
     }
 
+    /* Mirror ngx_http_lua_socket_tcp_finalize: detach the compiled-pattern
+     * userdata so a later __gc on it won't re-enter read_prepare on a
+     * half-finalised upstream. */
+    if (u->input_filter_ctx != NULL && u->input_filter_ctx != u) {
+        ((ngx_http_lua_socket_compiled_pattern_t *)
+         u->input_filter_ctx)->upstream = NULL;
+    }
+
     if (u->raw_downstream || u->body_downstream) {
         if (r->connection->read->timer_set) {
             ngx_del_timer(r->connection->read);
