Mercurial > hg > nginx

changeset 5627:d74889fbf06d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SPDY: fixed the DATA frame length handling in case of some errors. There are a few cases in ngx_http_spdy_state_read_data() related to error handling when ngx_http_spdy_state_skip() might be called with an inconsistent state between *pos and sc->length, that leads to violation of frame layout parsing and resuted in corruption of spdy connection. Based on a patch by Xiaochen Wang.
author Valentin Bartenev <vbart@nginx.com>
date Fri, 28 Mar 2014 20:05:07 +0400
parents 2411d4b5be2c
children a24f88eff684
files src/http/ngx_http_spdy.c
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_s
         complete = 1;
 
     } else {
-        sc->length -= size;
         complete = 0;
     }
 
@@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_s
             }
         }
 
+        sc->length -= size;
+
         if (tf) {
             buf->start = pos;
             buf->pos = pos;