Roman Arutyunyan
August 14, 2023 10:02AM
details: https://hg.nginx.org/nginx/rev/5d1e7c74aadf
branches:
changeset: 9141:5d1e7c74aadf
user: Roman Arutyunyan <arut@nginx.com>
date: Tue Aug 01 11:20:04 2023 +0400
description:
QUIC: avoid accessing freed frame.

Previously the field pnum of a potentially freed frame was accessed. Now the
value is copied to a local variable. The old behavior did not cause any
problems since the frame memory is not freed, but is moved to a free queue
instead.

diffstat:

src/event/quic/ngx_event_quic_ack.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)

diffs (28 lines):

diff -r e9a003d40485 -r 5d1e7c74aadf src/event/quic/ngx_event_quic_ack.c
--- a/src/event/quic/ngx_event_quic_ack.c Thu Jul 27 13:35:42 2023 +0400
+++ b/src/event/quic/ngx_event_quic_ack.c Tue Aug 01 11:20:04 2023 +0400
@@ -548,6 +548,7 @@ ngx_quic_persistent_congestion(ngx_conne
void
ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
{
+ uint64_t pnum;
ngx_queue_t *q;
ngx_quic_frame_t *f, *start;
ngx_quic_stream_t *qs;
@@ -556,6 +557,7 @@ ngx_quic_resend_frames(ngx_connection_t
qc = ngx_quic_get_connection(c);
q = ngx_queue_head(&ctx->sent);
start = ngx_queue_data(q, ngx_quic_frame_t, queue);
+ pnum = start->pnum;

ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic resend packet pnum:%uL", start->pnum);
@@ -565,7 +567,7 @@ ngx_quic_resend_frames(ngx_connection_t
do {
f = ngx_queue_data(q, ngx_quic_frame_t, queue);

- if (f->pnum != start->pnum) {
+ if (f->pnum != pnum) {
break;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] QUIC: avoid accessing freed frame.

Roman Arutyunyan 303 August 14, 2023 10:02AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 119
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready