Mercurial > hg > nginx

comparison src/http/v2/ngx_http_v2.c @ 7710:097f578a4a8f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/2: fixed segfault on DATA frames after 400 errors. If 400 errors were redirected to an upstream server using the error_page directive, DATA frames from the client might cause segmentation fault due to null pointer dereference. The bug had appeared in 6989:2c4dbcd6f2e4 (1.13.0). Fix is to skip such frames in ngx_http_v2_state_read_data() (similarly to 7561:9f1f9d6e056a). With the fix, behaviour of 400 errors in HTTP/2 is now similar to one in HTTP/1.x, that is, nginx doesn't try to read the request body. Note that proxying 400 errors, as well as other early stage errors, to upstream servers might not be a good idea anyway. These errors imply that reading and processing of the request (and the request headers) wasn't complete, and proxying of such incomplete request might lead to various errors. Reported by Chenglong Zhang.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 23 Sep 2020 19:50:49 +0300
parents da5e3f5b1673
children 526dddf637bb
comparison
equal deleted inserted replaced
7709:052ecc68d350 7710:097f578a4a8f
1082 "skipping http2 DATA frame"); 1082 "skipping http2 DATA frame");
1083 1083
1084 return ngx_http_v2_state_skip_padded(h2c, pos, end); 1084 return ngx_http_v2_state_skip_padded(h2c, pos, end);
1085 } 1085 }
1086 1086
1087 if (r->headers_in.content_length_n < 0 && !r->headers_in.chunked) {
1088 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
1089 "skipping http2 DATA frame");
1090
1091 return ngx_http_v2_state_skip_padded(h2c, pos, end);
1092 }
1093
1087 size = end - pos; 1094 size = end - pos;
1088 1095
1089 if (size >= h2c->state.length) { 1096 if (size >= h2c->state.length) {
1090 size = h2c->state.length; 1097 size = h2c->state.length;
1091 stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG; 1098 stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG;