Mercurial > hg > nginx
view src/http/v3/ngx_http_v3_uni.h @ 9286:d9fe808c1841
HTTP/3: protection from recursion during connection reuse.
When draining a connection associated with an HTTP/3 stream, calling
ngx_http_v3_send_cancel_stream() might result in an attempt to obtain
a connection for the decoder stream. This in turn will trigger draining
of the very same connection. Depending on the client settings, this
might either lead to stack overflow or will end up in decoder stream
creation error and destroying the connection at some point, potentially
resulting in use-after-free on stack.
Fix is to make sure that connection reuse is disabled in
ngx_http_v3_reset_stream(), so the recursion in question won't happen
regardless of what called functions do.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 02 Jun 2024 23:51:55 +0300 |
parents | f742b1b46901 |
children |
line wrap: on
line source
/* * Copyright (C) Roman Arutyunyan * Copyright (C) Nginx, Inc. */ #ifndef _NGX_HTTP_V3_UNI_H_INCLUDED_ #define _NGX_HTTP_V3_UNI_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_http.h> void ngx_http_v3_init_uni_stream(ngx_connection_t *c); ngx_int_t ngx_http_v3_register_uni_stream(ngx_connection_t *c, uint64_t type); ngx_int_t ngx_http_v3_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id); ngx_int_t ngx_http_v3_send_settings(ngx_connection_t *c); ngx_int_t ngx_http_v3_send_goaway(ngx_connection_t *c, uint64_t id); ngx_int_t ngx_http_v3_send_ack_section(ngx_connection_t *c, ngx_uint_t stream_id); ngx_int_t ngx_http_v3_send_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id); ngx_int_t ngx_http_v3_send_inc_insert_count(ngx_connection_t *c, ngx_uint_t inc); #endif /* _NGX_HTTP_V3_UNI_H_INCLUDED_ */