# HG changeset patch
# User Valentin Bartenev <vbart@nginx.com>
# Date 1398875660 -14400
# Node ID 19a14a48470724bf0b2a34122c9680b537eca6d7
# Parent  2315886112302e81331c1a175dfd270751d734ed
SPDY: added protection from overrun of the receive buffer.

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -1921,6 +1921,14 @@ ngx_http_spdy_state_complete(ngx_http_sp
     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, sc->connection->log, 0,
                    "spdy frame complete pos:%p end:%p", pos, end);
 
+    if (pos > end) {
+        ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
+                      "receive buffer overrun");
+
+        ngx_debug_point();
+        return ngx_http_spdy_state_internal_error(sc);
+    }
+
     sc->handler = ngx_http_spdy_state_head;
     sc->stream = NULL;