Mercurial > hg > nginx
comparison src/http/v2/ngx_http_v2_filter_module.c @ 7203:8b0553239592
HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().
This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.
Found by Coverity (CID 1429156).
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Fri, 09 Feb 2018 23:20:08 +0300 |
| parents | a49af443656f |
| children | e44c297a6b95 |
comparison
equal
deleted
inserted
replaced
| 7202:a49af443656f | 7203:8b0553239592 |
|---|---|
| 944 return NGX_DECLINED; | 944 return NGX_DECLINED; |
| 945 } | 945 } |
| 946 | 946 |
| 947 host = r->headers_in.host; | 947 host = r->headers_in.host; |
| 948 | 948 |
| 949 if (authority->len == 0 && host) { | 949 if (host == NULL) { |
| 950 return NGX_ABORT; | |
| 951 } | |
| 952 | |
| 953 if (authority->len == 0) { | |
| 950 | 954 |
| 951 len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len; | 955 len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len; |
| 952 | 956 |
| 953 tmp = ngx_palloc(r->pool, len); | 957 tmp = ngx_palloc(r->pool, len); |
| 954 pos = ngx_pnalloc(r->pool, len); | 958 pos = ngx_pnalloc(r->pool, len); |