Mercurial > hg > nginx
comparison src/http/v3/ngx_http_v3_request.c @ 9286:d9fe808c1841
HTTP/3: protection from recursion during connection reuse.
When draining a connection associated with an HTTP/3 stream, calling
ngx_http_v3_send_cancel_stream() might result in an attempt to obtain
a connection for the decoder stream. This in turn will trigger draining
of the very same connection. Depending on the client settings, this
might either lead to stack overflow or will end up in decoder stream
creation error and destroying the connection at some point, potentially
resulting in use-after-free on stack.
Fix is to make sure that connection reuse is disabled in
ngx_http_v3_reset_stream(), so the recursion in question won't happen
regardless of what called functions do.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 02 Jun 2024 23:51:55 +0300 |
| parents | 199dc0d6b05b |
| children |
comparison
equal
deleted
inserted
replaced
| 9285:4c7a9355bcae | 9286:d9fe808c1841 |
|---|---|
| 399 ngx_http_v3_reset_stream(ngx_connection_t *c) | 399 ngx_http_v3_reset_stream(ngx_connection_t *c) |
| 400 { | 400 { |
| 401 ngx_http_v3_session_t *h3c; | 401 ngx_http_v3_session_t *h3c; |
| 402 ngx_http_v3_srv_conf_t *h3scf; | 402 ngx_http_v3_srv_conf_t *h3scf; |
| 403 | 403 |
| 404 ngx_reusable_connection(c, 0); | |
| 405 | |
| 404 h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module); | 406 h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module); |
| 405 | 407 |
| 406 h3c = ngx_http_v3_get_session(c); | 408 h3c = ngx_http_v3_get_session(c); |
| 407 | 409 |
| 408 if (h3scf->max_table_capacity > 0 && !c->read->eof && !h3c->hq | 410 if (h3scf->max_table_capacity > 0 && !c->read->eof && !h3c->hq |