SPDY: fixed the DATA frame length handling in case of some errors.

There are a few cases in ngx_http_spdy_state_read_data() related to error handling when ngx_http_spdy_state_skip() might be called with an inconsistent state between *pos and sc->length, that leads to violation of frame layout parsing and resuted in corruption of spdy connection. Based on a patch by Xiaochen Wang.
2024-12-02 20:09:01 +08:00 · 2014-03-28 20:05:07 +04:00 · 2014-03-28 20:05:07 +04:00 · afb92a8127
commit afb92a8127
parent de3c7a825e
1 changed files with 2 additions and 1 deletions
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
        complete = 1;

    } else {
-        sc->length -= size;
        complete = 0;
    }

@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
            }
        }

+        sc->length -= size;
+
        if (tf) {
            buf->start = pos;
            buf->pos = pos;