details: https://hg.nginx.org/nginx/rev/4ed4e1e7f115
branches:
changeset: 9210:4ed4e1e7f115
user: Roman Arutyunyan <arut@nginx.com>
date: Wed Feb 14 15:55:37 2024 +0400
description:
QUIC: fixed stream cleanup (ticket #2586).

Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL). Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code. This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.

The fix is to reset the sc->connection pointer in case of error.

diffstat:

src/event/quic/ngx_event_quic_streams.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diffs (11 lines):

diff -r 1bf1b423f268 -r 4ed4e1e7f115 src/event/quic/ngx_event_quic_streams.c
--- a/src/event/quic/ngx_event_quic_streams.c Wed Feb 14 15:55:34 2024 +0400
+++ b/src/event/quic/ngx_event_quic_streams.c Wed Feb 14 15:55:37 2024 +0400
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *da
"quic stream id:0x%xL cleanup", qs->id);

if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
+ qs->connection = NULL;
goto failed;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel