Mercurial > hg > nginx
changeset 6273:60f916da7294
HTTP/2: fix handling of connection errors.
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.
Found with afl-fuzz.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
author | Piotr Sikora <piotrsikora@google.com> |
---|---|
date | Thu, 01 Oct 2015 20:25:55 -0700 |
parents | b6a665bf858a |
children | b2de4a56b860 |
files | src/http/v2/ngx_http_v2.c |
diffstat | 1 files changed, 6 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2.c Thu Oct 01 20:25:55 2015 -0700 +++ b/src/http/v2/ngx_http_v2.c Thu Oct 01 20:25:55 2015 -0700 @@ -2377,12 +2377,6 @@ ngx_debug_point(); } - if (h2c->state.stream) { - h2c->state.stream->out_closed = 1; - h2c->state.pool = NULL; - ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); - } - ngx_http_v2_finalize_connection(h2c, err); return NULL; @@ -3814,6 +3808,12 @@ c = h2c->connection; + if (h2c->state.stream) { + h2c->state.stream->out_closed = 1; + h2c->state.pool = NULL; + ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); + } + h2c->blocked = 1; if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) {