https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4450

http://nginx.org/download/patch.2016.write2.txt

diff -uap nginx-1.8.1/src/os/unix/ngx_files.c.cve4450 nginx-1.8.1/src/os/unix/ngx_files.c
--- nginx-1.8.1/src/os/unix/ngx_files.c.cve4450
+++ nginx-1.8.1/src/os/unix/ngx_files.c
@@ -292,6 +292,12 @@ ngx_write_chain_to_file(ngx_file_t *file
         /* create the iovec and coalesce the neighbouring bufs */
 
         while (cl && vec.nelts < IOV_MAX) {
+
+            if (ngx_buf_special(cl->buf)) {
+                cl = cl->next;
+                continue;
+            }
+
             if (prev == cl->buf->pos) {
                 iov->iov_len += cl->buf->last - cl->buf->pos;