Mercurial > hg > nginx
changeset 7203:8b0553239592
HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().
This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.
Found by Coverity (CID 1429156).
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Fri, 09 Feb 2018 23:20:08 +0300 |
parents | a49af443656f |
children | e44c297a6b95 |
files | src/http/v2/ngx_http_v2_filter_module.c |
diffstat | 1 files changed, 5 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_reque host = r->headers_in.host; - if (authority->len == 0 && host) { + if (host == NULL) { + return NGX_ABORT; + } + + if (authority->len == 0) { len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;