Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_streams.c @ 8841:1f7f98638dc2 quic
QUIC: fixed null pointer dereference in MAX_DATA handler.
If a MAX_DATA frame was received before any stream was created, then the worker
process would crash in nginx_quic_handle_max_data_frame() while traversing the
stream tree. The issue is solved by adding a check that makes sure the tree is
not empty.
| author | Mariano Di Martino <mariano.dimartino@uhasselt.be> |
|---|---|
| date | Fri, 03 Sep 2021 14:23:50 +0300 |
| parents | a9f6540e61da |
| children | 486c6a9be111 |
comparison
equal
deleted
inserted
replaced
| 8840:4d871baeacd2 | 8841:1f7f98638dc2 |
|---|---|
| 998 | 998 |
| 999 if (f->max_data <= qc->streams.send_max_data) { | 999 if (f->max_data <= qc->streams.send_max_data) { |
| 1000 return NGX_OK; | 1000 return NGX_OK; |
| 1001 } | 1001 } |
| 1002 | 1002 |
| 1003 if (qc->streams.sent >= qc->streams.send_max_data) { | 1003 if (tree->root != tree->sentinel |
| 1004 && qc->streams.sent >= qc->streams.send_max_data) | |
| 1005 { | |
| 1004 | 1006 |
| 1005 for (node = ngx_rbtree_min(tree->root, tree->sentinel); | 1007 for (node = ngx_rbtree_min(tree->root, tree->sentinel); |
| 1006 node; | 1008 node; |
| 1007 node = ngx_rbtree_next(tree, node)) | 1009 node = ngx_rbtree_next(tree, node)) |
| 1008 { | 1010 { |