[nginx] HTTP/3: protection from recursion during connection reuse.

[Maxim Dounin]

details:   http://freenginx.org/hg/nginx/rev/d9fe808c1841
branches:  
changeset: 9286:d9fe808c1841
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sun Jun 02 23:51:55 2024 +0300
description:
HTTP/3: protection from recursion during connection reuse.

When draining a connection associated with an HTTP/3 stream, calling
ngx_http_v3_send_cancel_stream() might result in an attempt to obtain
a connection for the decoder stream.  This in turn will trigger draining
of the very same connection.  Depending on the client settings, this
might either lead to stack overflow or will end up in decoder stream
creation error and destroying the connection at some point, potentially
resulting in use-after-free on stack.

Fix is to make sure that connection reuse is disabled in
ngx_http_v3_reset_stream(), so the recursion in question won't happen
regardless of what called functions do.

diffstat:

 src/http/v3/ngx_http_v3_request.c |  2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diffs (12 lines):

diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -401,6 +401,8 @@ ngx_http_v3_reset_stream(ngx_connection_
     ngx_http_v3_session_t   *h3c;
     ngx_http_v3_srv_conf_t  *h3scf;
 
+    ngx_reusable_connection(c, 0);
+
     h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
 
     h3c = ngx_http_v3_get_session(c);