mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-07-27 23:56:18 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

QUIC: avoid accessing freed frame.

Browse Source 
Previously the field pnum of a potentially freed frame was accessed.  Now the
value is copied to a local variable.  The old behavior did not cause any
problems since the frame memory is not freed, but is moved to a free queue
instead.
This commit is contained in:
Roman Arutyunyan 2023-08-01 11:20:04 +04:00
parent 968293d5e7
commit 57f87d6163
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/event/quic/ngx_event_quic_ack.c
View File

@ -548,6 +548,7 @@ ngx_quic_persistent_congestion(ngx_connection_t *c)
void void
ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx) ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
{ {
uint64_t pnum;
ngx_queue_t *q; ngx_queue_t *q;
ngx_quic_frame_t *f, *start; ngx_quic_frame_t *f, *start;
ngx_quic_stream_t *qs; ngx_quic_stream_t *qs;
@ -556,6 +557,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
qc = ngx_quic_get_connection(c); qc = ngx_quic_get_connection(c);
q = ngx_queue_head(&ctx->sent); q = ngx_queue_head(&ctx->sent);
start = ngx_queue_data(q, ngx_quic_frame_t, queue); start = ngx_queue_data(q, ngx_quic_frame_t, queue);
pnum = start->pnum;
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic resend packet pnum:%uL", start->pnum); "quic resend packet pnum:%uL", start->pnum);
@ -565,7 +567,7 @@ ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
do { do {
f = ngx_queue_data(q, ngx_quic_frame_t, queue); f = ngx_queue_data(q, ngx_quic_frame_t, queue);
if (f->pnum != start->pnum) { if (f->pnum != pnum) {
break; break;
} }