From 4d765d71ea689c42ade897fc93851b8a8797e9c7 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 9 Aug 2011 20:23:25 +0200
Subject: [PATCH] Nginx: fix NULL pointer crash that occurs when HTTP 1.0 Host
 header isn't given.

---
 ext/nginx/ContentHandler.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/ext/nginx/ContentHandler.c b/ext/nginx/ContentHandler.c
index 2cf417bd92..ef246bc304 100644
--- a/ext/nginx/ContentHandler.c
+++ b/ext/nginx/ContentHandler.c
@@ -336,6 +336,7 @@ create_request(ngx_http_request_t *r)
     ngx_table_elt_t               *header;
     ngx_http_script_code_pt        code;
     ngx_http_script_engine_t       e, le;
+    ngx_http_core_srv_conf_t      *cscf;
     passenger_loc_conf_t          *slcf;
     passenger_main_conf_t         *main_conf;
     passenger_context_t           *context;
@@ -344,6 +345,7 @@ create_request(ngx_http_request_t *r)
         ngx_http_ssl_srv_conf_t   *ssl_conf;
     #endif
     
+    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
     slcf = ngx_http_get_module_loc_conf(r, ngx_http_passenger_module);
     main_conf = &passenger_main_conf;
     context = ngx_http_get_module_ctx(r, ngx_http_passenger_module);
@@ -415,11 +417,15 @@ create_request(ngx_http_request_t *r)
     }
     
     /* SERVER_NAME; must be equal to HTTP_HOST without the port part */
-    tmp = memchr(r->headers_in.host->value.data, ':', r->headers_in.host->value.len);
-    if (tmp == NULL) {
-        server_name_len = r->headers_in.host->value.len;
+    if (r->headers_in.host != NULL) {
+        tmp = memchr(r->headers_in.host->value.data, ':', r->headers_in.host->value.len);
+        if (tmp == NULL) {
+            server_name_len = r->headers_in.host->value.len;
+        } else {
+            server_name_len = (int) ((const u_char *) tmp - r->headers_in.host->value.data);
+        }
     } else {
-        server_name_len = (int) ((const u_char *) tmp - r->headers_in.host->value.data);
+        server_name_len = cscf->server_name.len;
     }
     len += sizeof("SERVER_NAME") + server_name_len + 1;
     
@@ -650,8 +656,13 @@ create_request(ngx_http_request_t *r)
     
     /* SERVER_NAME */
     b->last = ngx_copy(b->last, "SERVER_NAME", sizeof("SERVER_NAME"));
-    b->last = ngx_copy(b->last, r->headers_in.host->value.data,
-                       server_name_len);
+    if (r->headers_in.host != NULL) {
+        b->last = ngx_copy(b->last, r->headers_in.host->value.data,
+                           server_name_len);
+    } else {
+        b->last = ngx_copy(b->last, cscf->server_name.data,
+                           server_name_len);
+    }
     b->last = ngx_copy(b->last, "", 1);
     
     /* Various other HTTP headers. */