Make sure WRK_Flush() always resets w->niov so WRK_Write() does not

overrun the w->iov.

Because niov is right after iov in struct worker, it is hard to predict
what the effect of hitting this bug, but "core dump" is almost a given.

I don't think it has been likely to happen a lot however, as it would
require a full complement of HTTP headers or a very fragmented object.

Coverity Scan (CID:7)

git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@2369 d4fa192b-c00b-0410-8231-f00ffab90ce4

diff --git a/varnish-cache/bin/varnishd/cache_pool.c b/varnish-cache/bin/varnishd/cache_pool.c
index 8894ca7313bbf1362549c798246c5880ffe60419..174ef28373f03b0ccdd3582c7e97fed0a125f7fb 100644 (file)
--- a/varnish-cache/bin/varnishd/cache_pool.c
+++ b/varnish-cache/bin/varnishd/cache_pool.c
@@ -98,11 +98,11 @@ WRK_Flush(struct worker *w)
        ssize_t i;
 
        CHECK_OBJ_NOTNULL(w, WORKER_MAGIC);
-       if (*w->wfd < 0 || w->niov == 0 || w->werr)
-               return (w->werr);
-       i = writev(*w->wfd, w->iov, w->niov);
-       if (i != w->liov)
-               w->werr++;
+       if (*w->wfd >= 0 && w->niov > 0 && w->werr == 0) {
+               i = writev(*w->wfd, w->iov, w->niov);
+               if (i != w->liov)
+                       w->werr++;
+       }
        w->liov = 0;
        w->niov = 0;
        return (w->werr);