nginx-quic: src/http/modules/ngx_http_grpc

comparison src/http/modules/ngx_http_grpc_module.c @ 7410:9ac0e8b9aced stable-1.14

gRPC: clearing buffers in ngx_http_grpc_get_buf(). We copy input buffers to our buffers, so various flags might be unexpectedly set in buffers returned by ngx_chain_get_free_buf(). In particular, the b->in_file flag might be set when the body was written to a file in a different context. With sendfile enabled this in turn might result in protocol corruption if such a buffer was reused for a control frame. Make sure to clear buffers and set only fields we really need to be set.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 02 Jul 2018 19:02:08 +0300
parents	ed5b3c4c1284
children	c948804cd628

comparison

equal deleted inserted replaced

-:17ee239ae2e6
+:9ac0e8b9aced
 static ngx_chain_t *
 ngx_http_grpc_get_buf(ngx_http_request_t *r, ngx_http_grpc_ctx_t *ctx)
 {
+u_char       *start;
 ngx_buf_t    *b;
 ngx_chain_t  *cl;
 cl = ngx_chain_get_free_buf(r->pool, &ctx->free);
 if (cl == NULL) {
 return NULL;
 }
 b = cl->buf;
+start = b->start;
-b->tag = (ngx_buf_tag_t) &ngx_http_grpc_body_output_filter;
-b->temporary = 1;
+if (start == NULL) {
-b->flush = 1;
-if (b->start == NULL) {
 /*
 * each buffer is large enough to hold two window update
 * frames in a row
 */
-b->start = ngx_palloc(r->pool, 2 * sizeof(ngx_http_grpc_frame_t) + 8);
+start = ngx_palloc(r->pool, 2 * sizeof(ngx_http_grpc_frame_t) + 8);
-if (b->start == NULL) {
+if (start == NULL) {
 return NULL;
 }
-b->pos = b->start;
+}
-b->last = b->start;
+ngx_memzero(b, sizeof(ngx_buf_t));
-b->end = b->start + 2 * sizeof(ngx_http_grpc_frame_t) + 8;
-}
+b->start = start;
+b->pos = start;
+b->last = start;
+b->end = start + 2 * sizeof(ngx_http_grpc_frame_t) + 8;
+b->tag = (ngx_buf_tag_t) &ngx_http_grpc_body_output_filter;
+b->temporary = 1;
+b->flush = 1;
 return cl;
 }

Mercurial > hg > nginx-quic

comparison src/http/modules/ngx_http_grpc_module.c @ 7410:9ac0e8b9aced stable-1.14