Mercurial > hg > nginx
changeset 5627:d74889fbf06d
SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.
Based on a patch by Xiaochen Wang.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 28 Mar 2014 20:05:07 +0400 |
parents | 2411d4b5be2c |
children | a24f88eff684 |
files | src/http/ngx_http_spdy.c |
diffstat | 1 files changed, 2 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_s complete = 1; } else { - sc->length -= size; complete = 0; } @@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_s } } + sc->length -= size; + if (tf) { buf->start = pos; buf->pos = pos;