From 57f87d61639d7fc0f5df187056ef03fcec3236a8 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Tue, 1 Aug 2023 11:20:04 +0400 Subject: [PATCH] QUIC: avoid accessing freed frame. Previously the field pnum of a potentially freed frame was accessed. Now the value is copied to a local variable. The old behavior did not cause any problems since the frame memory is not freed, but is moved to a free queue instead. --- src/event/quic/ngx_event_quic_ack.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/event/quic/ngx_event_quic_ack.c b/src/event/quic/ngx_event_quic_ack.c index 865be2e6a..e6210653a 100644 --- a/src/event/quic/ngx_event_quic_ack.c +++ b/src/event/quic/ngx_event_quic_ack.c @@ -548,6 +548,7 @@ ngx_quic_persistent_congestion(ngx_connection_t *c) void ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) { + uint64_t pnum; ngx_queue_t *q; ngx_quic_frame_t *f, *start; ngx_quic_stream_t *qs; @@ -556,6 +557,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) qc = ngx_quic_get_connection(c); q = ngx_queue_head(&ctx->sent); start = ngx_queue_data(q, ngx_quic_frame_t, queue); + pnum = start->pnum; ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic resend packet pnum:%uL", start->pnum); @@ -565,7 +567,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) do { f = ngx_queue_data(q, ngx_quic_frame_t, queue); - if (f->pnum != start->pnum) { + if (f->pnum != pnum) { break; }