Changeset 7208:affeb6ef732c in nginx


Ignore:
Timestamp:
02/15/18 14:51:37 (2 years ago)
Author:
Ruslan Ermilov <ru@…>
Branch:
default
Phase:
public
Message:

HTTP/2: fixed ngx_http_v2_push_stream() allocation error handling.

In particular, if a stream object allocation failed, and a client sent
the PRIORITY frame for this stream, ngx_http_v2_set_dependency() could
dereference a null pointer while trying to re-parent a dependency node.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/http/v2/ngx_http_v2.c

    r7207 r7208  
    25472547    ngx_int_t                     rc;
    25482548    ngx_str_t                     value;
     2549    ngx_pool_t                   *pool;
     2550    ngx_uint_t                    index;
    25492551    ngx_table_elt_t             **h;
    25502552    ngx_connection_t             *fc;
     
    25522554    ngx_http_v2_node_t           *node;
    25532555    ngx_http_v2_stream_t         *stream;
     2556    ngx_http_v2_srv_conf_t       *h2scf;
    25542557    ngx_http_v2_connection_t     *h2c;
    25552558    ngx_http_v2_parse_header_t   *header;
     
    25572560    h2c = parent->connection;
    25582561
     2562    pool = ngx_create_pool(1024, h2c->connection->log);
     2563    if (pool == NULL) {
     2564        goto rst_stream;
     2565    }
     2566
    25592567    node = ngx_http_v2_get_node_by_id(h2c, h2c->last_push, 1);
    25602568
    25612569    if (node == NULL) {
    2562         return NULL;
     2570        ngx_destroy_pool(pool);
     2571        goto rst_stream;
     2572    }
     2573
     2574    stream = ngx_http_v2_create_stream(h2c, 1);
     2575    if (stream == NULL) {
     2576
     2577        if (node->parent == NULL) {
     2578            h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
     2579                                                 ngx_http_v2_module);
     2580
     2581            index = ngx_http_v2_index(h2scf, h2c->last_push);
     2582            h2c->streams_index[index] = node->index;
     2583
     2584            ngx_queue_insert_tail(&h2c->closed, &node->reuse);
     2585            h2c->closed_nodes++;
     2586        }
     2587
     2588        ngx_destroy_pool(pool);
     2589        goto rst_stream;
    25632590    }
    25642591
     
    25682595    }
    25692596
    2570     stream = ngx_http_v2_create_stream(h2c, 1);
    2571     if (stream == NULL) {
    2572         return NULL;
    2573     }
    2574 
    2575     stream->pool = ngx_create_pool(1024, h2c->connection->log);
    2576     if (stream->pool == NULL) {
    2577         return NULL;
    2578     }
     2597    stream->pool = pool;
    25792598
    25802599    r = stream->request;
     
    26092628    }
    26102629
    2611     value.data = ngx_pstrdup(stream->pool, path);
     2630    value.data = ngx_pstrdup(pool, path);
    26122631    if (value.data == NULL) {
    2613         return NULL;
     2632        goto close;
    26142633    }
    26152634
     
    26322651        value.len = (*h)->value.len;
    26332652
    2634         value.data = ngx_pnalloc(stream->pool, value.len + 1);
     2653        value.data = ngx_pnalloc(pool, value.len + 1);
    26352654        if (value.data == NULL) {
    2636             return NULL;
     2655            goto close;
    26372656        }
    26382657
     
    26642683    }
    26652684
    2666     (void) ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
     2685close:
     2686
     2687    ngx_http_v2_close_stream(stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
     2688
     2689    return NULL;
     2690
     2691rst_stream:
     2692
     2693    if (ngx_http_v2_send_rst_stream(h2c, h2c->last_push,
     2694                                    NGX_HTTP_INTERNAL_SERVER_ERROR)
     2695        != NGX_OK)
     2696    {
     2697        h2c->connection->error = 1;
     2698    }
    26672699
    26682700    return NULL;
Note: See TracChangeset for help on using the changeset viewer.