Mercurial > hg > nginx
diff conf/koi-win @ 8501:fc16e303003a quic
QUIC: fixed possible use-after-free on stream cleanup.
A QUIC stream could be destroyed by handler while in ngx_quic_stream_input().
To detect this, ngx_quic_find_stream() is used to check that it still exists.
Previously, a stream id was passed to this routine off the frame structure.
In case of stream cleanup, it is freed along with other frames belonging to
the stream on cleanup. Then, a cleanup handler reuses last frames to update
MAX_STREAMS and serve other purpose. Thus, ngx_quic_find_stream() is passed
a reused frame with zeroed out part pointed by stream_id. If a stream with
id 0x0 still exists, this leads to use-after-free.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 07 Aug 2020 12:34:11 +0300 |
parents | 400711951595 |
children |