Mercurial > hg > nginx-quic
comparison src/http/ngx_http_spdy.c @ 5627:d74889fbf06d
SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.
Based on a patch by Xiaochen Wang.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 28 Mar 2014 20:05:07 +0400 |
parents | 2411d4b5be2c |
children | a24f88eff684 |
comparison
equal
deleted
inserted
replaced
5626:2411d4b5be2c | 5627:d74889fbf06d |
---|---|
1526 if (size >= sc->length) { | 1526 if (size >= sc->length) { |
1527 size = sc->length; | 1527 size = sc->length; |
1528 complete = 1; | 1528 complete = 1; |
1529 | 1529 |
1530 } else { | 1530 } else { |
1531 sc->length -= size; | |
1532 complete = 0; | 1531 complete = 0; |
1533 } | 1532 } |
1534 | 1533 |
1535 r = stream->request; | 1534 r = stream->request; |
1536 | 1535 |
1568 | 1567 |
1569 stream->skip_data = NGX_SPDY_DATA_ERROR; | 1568 stream->skip_data = NGX_SPDY_DATA_ERROR; |
1570 goto error; | 1569 goto error; |
1571 } | 1570 } |
1572 } | 1571 } |
1572 | |
1573 sc->length -= size; | |
1573 | 1574 |
1574 if (tf) { | 1575 if (tf) { |
1575 buf->start = pos; | 1576 buf->start = pos; |
1576 buf->pos = pos; | 1577 buf->pos = pos; |
1577 | 1578 |