Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2.c @ 6273:60f916da7294
HTTP/2: fix handling of connection errors.
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.
Found with afl-fuzz.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
| author | Piotr Sikora <piotrsikora@google.com> |
|---|---|
| date | Thu, 01 Oct 2015 20:25:55 -0700 |
| parents | b6a665bf858a |
| children | 16905ecbb49e |
comparison
equal
deleted
inserted
replaced
| 6272:b6a665bf858a | 6273:60f916da7294 |
|---|---|
| 2375 | 2375 |
| 2376 if (err == NGX_HTTP_V2_INTERNAL_ERROR) { | 2376 if (err == NGX_HTTP_V2_INTERNAL_ERROR) { |
| 2377 ngx_debug_point(); | 2377 ngx_debug_point(); |
| 2378 } | 2378 } |
| 2379 | 2379 |
| 2380 if (h2c->state.stream) { | |
| 2381 h2c->state.stream->out_closed = 1; | |
| 2382 h2c->state.pool = NULL; | |
| 2383 ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); | |
| 2384 } | |
| 2385 | |
| 2386 ngx_http_v2_finalize_connection(h2c, err); | 2380 ngx_http_v2_finalize_connection(h2c, err); |
| 2387 | 2381 |
| 2388 return NULL; | 2382 return NULL; |
| 2389 } | 2383 } |
| 2390 | 2384 |
| 3812 ngx_http_v2_stream_t *stream; | 3806 ngx_http_v2_stream_t *stream; |
| 3813 ngx_http_v2_srv_conf_t *h2scf; | 3807 ngx_http_v2_srv_conf_t *h2scf; |
| 3814 | 3808 |
| 3815 c = h2c->connection; | 3809 c = h2c->connection; |
| 3816 | 3810 |
| 3811 if (h2c->state.stream) { | |
| 3812 h2c->state.stream->out_closed = 1; | |
| 3813 h2c->state.pool = NULL; | |
| 3814 ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); | |
| 3815 } | |
| 3816 | |
| 3817 h2c->blocked = 1; | 3817 h2c->blocked = 1; |
| 3818 | 3818 |
| 3819 if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) { | 3819 if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) { |
| 3820 (void) ngx_http_v2_send_output_queue(h2c); | 3820 (void) ngx_http_v2_send_output_queue(h2c); |
| 3821 } | 3821 } |