Mercurial > hg > nginx-quic
changeset 9077:8f2f40d3fd18 quic
QUIC: fixed split frames error handling.
Do not corrupt frame data chain pointer on ngx_quic_read_buffer() error.
The error leads to closing a QUIC connection where the frame may be used
as part of the QUIC connection tear down, which envolves writing pending
frames, including this one.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 04 May 2023 15:52:23 +0400 |
parents | 394e9a2cefc4 |
children | 9553eea74f2a |
files | src/event/quic/ngx_event_quic_frames.c |
diffstat | 1 files changed, 5 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_frames.c +++ b/src/event/quic/ngx_event_quic_frames.c @@ -319,6 +319,7 @@ ngx_int_t ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len) { size_t shrink; + ngx_chain_t *out; ngx_quic_frame_t *nf; ngx_quic_buffer_t qb; ngx_quic_ordered_frame_t *of, *onf; @@ -359,11 +360,13 @@ ngx_quic_split_frame(ngx_connection_t *c ngx_memzero(&qb, sizeof(ngx_quic_buffer_t)); qb.chain = f->data; - f->data = ngx_quic_read_buffer(c, &qb, of->length); - if (f->data == NGX_CHAIN_ERROR) { + out = ngx_quic_read_buffer(c, &qb, of->length); + if (out == NGX_CHAIN_ERROR) { return NGX_ERROR; } + f->data = out; + nf = ngx_quic_alloc_frame(c); if (nf == NULL) { return NGX_ERROR;