From 780bb6dfaefc471f4b8d2100642a2c1af6a2623b Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Tue, 12 May 2015 15:26:42 +0100
Subject: [PATCH] Fix zero-copy mode in lua_http (double free).

---
 src/libutil/http.c | 2 +-
 src/lua/lua_http.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libutil/http.c b/src/libutil/http.c
index ff43ebd11..5e589afc2 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -1592,7 +1592,7 @@ rspamd_http_connection_write_message (struct rspamd_http_connection *conn,
 		}
 		if (msg->body != NULL) {
 
-			if (msg->body_buf.str == NULL) {
+			if (msg->body_buf.str == NULL && msg->body_buf.len == 0) {
 				msg->body_buf.str = msg->body->str;
 			}
 			priv->out[i].iov_base = pbody;
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 7e48b7fd6..1baef5ed4 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -410,6 +410,8 @@ lua_http_request (lua_State *L)
 				msg->body = g_string_new (NULL);
 				msg->body->str = (gchar *)t->start;
 				msg->body->len = t->len;
+				/* It is not safe unless we set len to avoid body_buf to be freed */
+				msg->body_buf.len = t->len;
 			}
 		}
 
-- 
2.39.5