Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2.c @ 6271:22ee99422329
HTTP/2: reject self-dependent streams.
Per RFC7540, a stream cannot depend on itself.
Previously, this requirement was enforced on PRIORITY frames, but not on
HEADERS frames and due to the implementation details nginx worker would
crash (stack overflow) while opening self-dependent stream.
Found with afl-fuzz.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
| author | Piotr Sikora <piotrsikora@google.com> |
|---|---|
| date | Thu, 01 Oct 2015 20:25:55 -0700 |
| parents | ee16fb0db905 |
| children | b6a665bf858a |
comparison
equal
deleted
inserted
replaced
| 6270:e769cc88f996 | 6271:22ee99422329 |
|---|---|
| 1131 return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_PROTOCOL_ERROR); | 1131 return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_PROTOCOL_ERROR); |
| 1132 } | 1132 } |
| 1133 | 1133 |
| 1134 h2c->last_sid = h2c->state.sid; | 1134 h2c->last_sid = h2c->state.sid; |
| 1135 | 1135 |
| 1136 if (depend == h2c->state.sid) { | |
| 1137 ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, | |
| 1138 "client sent HEADERS frame for stream %ui " | |
| 1139 "with incorrect dependency", h2c->state.sid); | |
| 1140 | |
| 1141 if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, | |
| 1142 NGX_HTTP_V2_PROTOCOL_ERROR) | |
| 1143 != NGX_OK) | |
| 1144 { | |
| 1145 return ngx_http_v2_connection_error(h2c, | |
| 1146 NGX_HTTP_V2_INTERNAL_ERROR); | |
| 1147 } | |
| 1148 | |
| 1149 return ngx_http_v2_state_skip_headers(h2c, pos, end); | |
| 1150 } | |
| 1151 | |
| 1136 h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, | 1152 h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, |
| 1137 ngx_http_v2_module); | 1153 ngx_http_v2_module); |
| 1138 | 1154 |
| 1139 h2c->state.header_limit = h2scf->max_header_size; | 1155 h2c->state.header_limit = h2scf->max_header_size; |
| 1140 | 1156 |