Mercurial > hg > nginx

changeset 8841:1f7f98638dc2 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: fixed null pointer dereference in MAX_DATA handler. If a MAX_DATA frame was received before any stream was created, then the worker process would crash in nginx_quic_handle_max_data_frame() while traversing the stream tree. The issue is solved by adding a check that makes sure the tree is not empty.
author Mariano Di Martino <mariano.dimartino@uhasselt.be>
date Fri, 03 Sep 2021 14:23:50 +0300
parents 4d871baeacd2
children 486c6a9be111
files src/event/quic/ngx_event_quic_streams.c
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -1000,7 +1000,9 @@ ngx_quic_handle_max_data_frame(ngx_conne
         return NGX_OK;
     }
 
-    if (qc->streams.sent >= qc->streams.send_max_data) {
+    if (tree->root != tree->sentinel
+        && qc->streams.sent >= qc->streams.send_max_data)
+    {
 
         for (node = ngx_rbtree_min(tree->root, tree->sentinel);
              node;