Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_frames.c @ 9091:8f2f40d3fd18 quic
QUIC: fixed split frames error handling.
Do not corrupt frame data chain pointer on ngx_quic_read_buffer() error.
The error leads to closing a QUIC connection where the frame may be used
as part of the QUIC connection tear down, which envolves writing pending
frames, including this one.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Thu, 04 May 2023 15:52:23 +0400 |
| parents | def8e398d7c5 |
| children | 7ec761f0365f |
comparison
equal
deleted
inserted
replaced
| 9090:394e9a2cefc4 | 9091:8f2f40d3fd18 |
|---|---|
| 317 | 317 |
| 318 ngx_int_t | 318 ngx_int_t |
| 319 ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len) | 319 ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len) |
| 320 { | 320 { |
| 321 size_t shrink; | 321 size_t shrink; |
| 322 ngx_chain_t *out; | |
| 322 ngx_quic_frame_t *nf; | 323 ngx_quic_frame_t *nf; |
| 323 ngx_quic_buffer_t qb; | 324 ngx_quic_buffer_t qb; |
| 324 ngx_quic_ordered_frame_t *of, *onf; | 325 ngx_quic_ordered_frame_t *of, *onf; |
| 325 | 326 |
| 326 switch (f->type) { | 327 switch (f->type) { |
| 357 } | 358 } |
| 358 | 359 |
| 359 ngx_memzero(&qb, sizeof(ngx_quic_buffer_t)); | 360 ngx_memzero(&qb, sizeof(ngx_quic_buffer_t)); |
| 360 qb.chain = f->data; | 361 qb.chain = f->data; |
| 361 | 362 |
| 362 f->data = ngx_quic_read_buffer(c, &qb, of->length); | 363 out = ngx_quic_read_buffer(c, &qb, of->length); |
| 363 if (f->data == NGX_CHAIN_ERROR) { | 364 if (out == NGX_CHAIN_ERROR) { |
| 364 return NGX_ERROR; | 365 return NGX_ERROR; |
| 365 } | 366 } |
| 367 | |
| 368 f->data = out; | |
| 366 | 369 |
| 367 nf = ngx_quic_alloc_frame(c); | 370 nf = ngx_quic_alloc_frame(c); |
| 368 if (nf == NULL) { | 371 if (nf == NULL) { |
| 369 return NGX_ERROR; | 372 return NGX_ERROR; |
| 370 } | 373 } |