Actually the structure in Nginx that the authors attacked is laid out exactly in this way:

    struct ngx_http_request_s {
        uint32_t signature;
        ngx_connection_t connection;
        ...
        ngx_http_log_handler_pt  log_handler;
        ...
        u_char    lowcase_header[NGX_HTTP_LC_HEADER_LEN];
        ...
        unsigned http_minor:16;
        unsigned http_major:16;
    };

They underflow lowcase_header (or rather, assume the existence of an underflow bug) to overwrite log_handler, a function pointer that is called when an error occurs.

I do find the authors' presentation a little disingenuous, because the purported underflow bug does not actually exist - the authors assume it does, then proceed as if they have full control over the function pointer (including the ASLR leak necessary to obtain proper gadget addresses).