From 32e167e211d17a92ab7beed3cc26a6fa785749f4 Mon Sep 17 00:00:00 2001
From: Valentin Bartenev <vbart@nginx.com>
Date: Wed, 24 Jul 2013 22:24:25 +0400
Subject: [PATCH] SPDY: fixed segfault with "client_body_in_file_only" enabled.

It is possible to send FLAG_FIN in additional empty data frame, even if it is
known from the content-length header that request body is empty.  And Firefox
actually behaves like this (see ticket #357).

To simplify code we sacrificed our microoptimization that did not work right
due to missing check in the ngx_http_spdy_state_data() function for rb->buf
set to NULL.
---
 src/http/ngx_http_spdy.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
index acadaf232..f8136213a 100644
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -2529,13 +2529,6 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
             return NGX_ERROR;
         }
 
-        if (rb->rest == 0) {
-            buf->in_file = 1;
-            buf->file = &tf->file;
-        } else {
-            rb->buf = buf;
-        }
-
     } else {
 
         if (rb->rest == 0) {
@@ -2546,10 +2539,10 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
         if (buf == NULL) {
             return NGX_ERROR;
         }
-
-        rb->buf = buf;
     }
 
+    rb->buf = buf;
+
     rb->bufs = ngx_alloc_chain_link(r->pool);
     if (rb->bufs == NULL) {
         return NGX_ERROR;