Mercurial > hg > nginx

changeset 6271:22ee99422329

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP/2: reject self-dependent streams. Per RFC7540, a stream cannot depend on itself. Previously, this requirement was enforced on PRIORITY frames, but not on HEADERS frames and due to the implementation details nginx worker would crash (stack overflow) while opening self-dependent stream. Found with afl-fuzz. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
author Piotr Sikora <piotrsikora@google.com>
date Thu, 01 Oct 2015 20:25:55 -0700
parents e769cc88f996
children b6a665bf858a
files src/http/v2/ngx_http_v2.c
diffstat 1 files changed, 16 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1133,6 +1133,22 @@ ngx_http_v2_state_headers(ngx_http_v2_co
 
     h2c->last_sid = h2c->state.sid;
 
+    if (depend == h2c->state.sid) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent HEADERS frame for stream %ui "
+                      "with incorrect dependency", h2c->state.sid);
+
+        if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid,
+                                        NGX_HTTP_V2_PROTOCOL_ERROR)
+            != NGX_OK)
+        {
+            return ngx_http_v2_connection_error(h2c,
+                                                NGX_HTTP_V2_INTERNAL_ERROR);
+        }
+
+        return ngx_http_v2_state_skip_headers(h2c, pos, end);
+    }
+
     h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
                                          ngx_http_v2_module);