mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

HTTP/2: fix handling of connection errors.

Browse Source 
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
This commit is contained in:
Piotr Sikora 2015-10-01 20:25:55 -07:00
parent de4f0eb26b
commit f93aa4d953
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/http/v2/ngx_http_v2.c
View File

@ -2377,12 +2377,6 @@ ngx_http_v2_connection_error(ngx_http_v2_connection_t *h2c,
ngx_debug_point(); ngx_debug_point();
} }
if (h2c->state.stream) {
h2c->state.stream->out_closed = 1;
h2c->state.pool = NULL;
ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST);
}
ngx_http_v2_finalize_connection(h2c, err); ngx_http_v2_finalize_connection(h2c, err);
return NULL; return NULL;
@ -3814,6 +3808,12 @@ ngx_http_v2_finalize_connection(ngx_http_v2_connection_t *h2c,
c = h2c->connection; c = h2c->connection;
if (h2c->state.stream) {
h2c->state.stream->out_closed = 1;
h2c->state.pool = NULL;
ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST);
}
h2c->blocked = 1; h2c->blocked = 1;
if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) { if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) {