From 64a9f700929dbc8f0730be4f91cc3bbfde8fc3e6 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 12 Dec 2011 10:47:48 +0000
Subject: [PATCH] Cache: handling of cache files with long headers.

There are two possible situations which can lead to this: response was
cached with bigger proxy_buffer_size value (and nginx was restared since
then, i.e. shared memory zone content was lost), or due to the race in
the cache update code (see [1]) we've end up with fcn->body_start from
a different response stored in shared memory zone.

[1] http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001287.html
---
 src/http/ngx_http_file_cache.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/http/ngx_http_file_cache.c b/src/http/ngx_http_file_cache.c
index 6a363220d..cb329aa9b 100644
--- a/src/http/ngx_http_file_cache.c
+++ b/src/http/ngx_http_file_cache.c
@@ -386,6 +386,13 @@ ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c)
         return NGX_DECLINED;
     }
 
+    if (h->body_start > c->body_start) {
+        ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
+                      "cache file \"%s\" has too long header",
+                      c->file.name.data);
+        return NGX_DECLINED;
+    }
+
     c->buf->last += n;
 
     c->valid_sec = h->valid_sec;