# HG changeset patch # User Sergey Kandaurov # Date 1683201143 -14400 # Node ID 8f2f40d3fd18dbd2f1f1c3601c915f1deaa69461 # Parent 394e9a2cefc41aa5604d91a40afcd0001deecedf QUIC: fixed split frames error handling. Do not corrupt frame data chain pointer on ngx_quic_read_buffer() error. The error leads to closing a QUIC connection where the frame may be used as part of the QUIC connection tear down, which envolves writing pending frames, including this one. diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c --- a/src/event/quic/ngx_event_quic_frames.c +++ b/src/event/quic/ngx_event_quic_frames.c @@ -319,6 +319,7 @@ ngx_int_t ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len) { size_t shrink; + ngx_chain_t *out; ngx_quic_frame_t *nf; ngx_quic_buffer_t qb; ngx_quic_ordered_frame_t *of, *onf; @@ -359,11 +360,13 @@ ngx_quic_split_frame(ngx_connection_t *c ngx_memzero(&qb, sizeof(ngx_quic_buffer_t)); qb.chain = f->data; - f->data = ngx_quic_read_buffer(c, &qb, of->length); - if (f->data == NGX_CHAIN_ERROR) { + out = ngx_quic_read_buffer(c, &qb, of->length); + if (out == NGX_CHAIN_ERROR) { return NGX_ERROR; } + f->data = out; + nf = ngx_quic_alloc_frame(c); if (nf == NULL) { return NGX_ERROR;