Mercurial > hg > nginx
comparison src/http/ngx_http_spdy.c @ 5627:d74889fbf06d
SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.
Based on a patch by Xiaochen Wang.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Fri, 28 Mar 2014 20:05:07 +0400 |
| parents | 2411d4b5be2c |
| children | a24f88eff684 |
comparison
equal
deleted
inserted
replaced
| 5626:2411d4b5be2c | 5627:d74889fbf06d |
|---|---|
| 1526 if (size >= sc->length) { | 1526 if (size >= sc->length) { |
| 1527 size = sc->length; | 1527 size = sc->length; |
| 1528 complete = 1; | 1528 complete = 1; |
| 1529 | 1529 |
| 1530 } else { | 1530 } else { |
| 1531 sc->length -= size; | |
| 1532 complete = 0; | 1531 complete = 0; |
| 1533 } | 1532 } |
| 1534 | 1533 |
| 1535 r = stream->request; | 1534 r = stream->request; |
| 1536 | 1535 |
| 1568 | 1567 |
| 1569 stream->skip_data = NGX_SPDY_DATA_ERROR; | 1568 stream->skip_data = NGX_SPDY_DATA_ERROR; |
| 1570 goto error; | 1569 goto error; |
| 1571 } | 1570 } |
| 1572 } | 1571 } |
| 1572 | |
| 1573 sc->length -= size; | |
| 1573 | 1574 |
| 1574 if (tf) { | 1575 if (tf) { |
| 1575 buf->start = pos; | 1576 buf->start = pos; |
| 1576 buf->pos = pos; | 1577 buf->pos = pos; |
| 1577 | 1578 |