Welcome! Log In Create A New Profile

[nginx] SPDY: fixed the DATA frame length handling in case of so...

Forum List Message List New Topic Print View

Valentin Bartenev

March 28, 2014 12:06PM

details: http://hg.nginx.org/nginx/rev/d74889fbf06d
branches:
changeset: 5627:d74889fbf06d
user: Valentin Bartenev <vbart@nginx.com>
date: Fri Mar 28 20:05:07 2014 +0400
description:
SPDY: fixed the DATA frame length handling in case of some errors.

There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.

diffstat:

src/http/ngx_http_spdy.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diffs (20 lines):

diff -r 2411d4b5be2c -r d74889fbf06d src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c Wed Mar 26 18:01:11 2014 +0400
+++ b/src/http/ngx_http_spdy.c Fri Mar 28 20:05:07 2014 +0400
@@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_s
complete = 1;

} else {
- sc->length -= size;
complete = 0;
}

@@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_s
}
}

+ sc->length -= size;
+
if (tf) {
buf->start = pos;
buf->pos = pos;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] SPDY: fixed the DATA frame length handling in case of so...	Valentin Bartenev	615	March 28, 2014 12:06PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 256

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018