[PATCH 7 of 7] HTTP/3: protection from recursion during connection reuse
Maxim Dounin
mdounin at mdounin.ru
Fri May 31 00:58:32 UTC 2024
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1717116498 -10800
# Fri May 31 03:48:18 2024 +0300
# Node ID 5710b269079c37a0bc99fcfc0e156f971fdfe75a
# Parent 8eecd832d2711dca1f7d4eff96369cdc3be514f4
HTTP/3: protection from recursion during connection reuse.
When draining a connection associated with an HTTP/3 stream, calling
ngx_http_v3_send_cancel_stream() might result in an attempt to obtain
a connection for the decoder stream. This in turn will trigger draining
of the very same connection. Depending on the client settings, this
might either lead to stack overflow or will end up in decoder stream
creation error and destroying the connection at some point, potentially
resulting in use-after-free on stack.
Fix is to make sure that connection reuse is disabled in
ngx_http_v3_reset_stream(), so the recursion in question won't happen
regardless of what called functions do.
diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -401,6 +401,8 @@ ngx_http_v3_reset_stream(ngx_connection_
ngx_http_v3_session_t *h3c;
ngx_http_v3_srv_conf_t *h3scf;
+ ngx_reusable_connection(c, 0);
+
h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
h3c = ngx_http_v3_get_session(c);
More information about the nginx-devel
mailing list