bugfix: clear wait timer in ngx_http_lua_pipe_proc_wait_cleanup to pr…

[oowl]

…event SIGSEGV on QUIC connection close

fix crash:

gdb-peda$ bt
#0  0x000055e0f9710b8d in ngx_http_lua_pipe_resume_wait_handler (ev=0x55e1077bc848)
    at /home/owl/work/openresty/lua-nginx-module/src/ngx_http_lua_pipe.c:2433
#1  0x000055e0f95d97a0 in ngx_event_expire_timers () at src/event/ngx_event_timer.c:94
#2  0x000055e0f95d91ec in ngx_process_events_and_timers (
    cycle=cycle@entry=0x55e107718e00) at src/event/ngx_event.c:271
#3  0x000055e0f95e3198 in ngx_worker_process_cycle (cycle=cycle@entry=0x55e107718e00, 
    data=data@entry=0x0) at src/os/unix/ngx_process_cycle.c:793
#4  0x000055e0f95e150b in ngx_spawn_process (cycle=cycle@entry=0x55e107718e00, 
    proc=proc@entry=0x55e0f95e3080 <ngx_worker_process_cycle>, data=data@entry=0x0, 
    name=name@entry=0x55e0f975ae1f "worker process", 
    respawn=respawn@entry=0xfffffffffffffffd) at src/os/unix/ngx_process.c:199
#5  0x000055e0f95e2118 in ngx_start_worker_processes (
    cycle=cycle@entry=0x55e107718e00, n=0x1, type=type@entry=0xfffffffffffffffd)
    at src/os/unix/ngx_process_cycle.c:382
#6  0x000055e0f95e3beb in ngx_master_process_cycle (cycle=cycle@entry=0x55e107718e00)
    at src/os/unix/ngx_process_cycle.c:135
#7  0x000055e0f95b619a in main (argc=<optimized out>, argv=<optimized out>)
    at src/core/nginx.c:387
#8  0x00007f67700366c1 in __libc_start_call_main (
    main=main@entry=0x55e0f95b55d8 <main>, argc=argc@entry=0x7, 
    argv=argv@entry=0x7fff1dacbad8) at ../sysdeps/nptl/libc_start_call_main.h:59
#9  0x00007f67700367f9 in __libc_start_main_impl (main=0x55e0f95b55d8 <main>, 
    argc=0x7, argv=0x7fff1dacbad8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fff1dacbac8) at ../csu/libc-start.c:360
#10 0x000055e0f95b4765 in _start ()

I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.

[Copilot]

Pull request overview

This PR addresses a QUIC-connection-close crash (SIGSEGV) caused by a standalone wait timer (wait_co_ctx->sleep) firing after the request pool has been freed, by ensuring the wait timer is cleared during pool cleanup even when pipe_proc_destroy has already run.

Changes:

• Clear wait_co_ctx->sleep in ngx_http_lua_pipe_proc_wait_cleanup() when proc->pipe == NULL to prevent a use-after-free on timer fire.
• Add a QUIC regression test ensuring the pipe wait timer does not fire after pool teardown.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
t/191-pipe-proc-quic-close-crash.t	Adds a regression test covering the wait-timer UAF scenario on QUIC connection close.
src/ngx_http_lua_pipe.c	Clears the standalone wait event in the proc->pipe == NULL cleanup path to prevent timer callbacks after pool free.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.