Welcome! Log In Create A New Profile

Advanced

[nginx] QUIC: fixed accessing a released stream.

Anonymous User
December 27, 2024 07:16AM
details: https://github.com/nginx/nginx/commit/e3a9b6ad08a86e799a3d77da3f2fc507d3c9699e
branches: master
commit: e3a9b6ad08a86e799a3d77da3f2fc507d3c9699e
user: Roman Arutyunyan <arut@nginx.com>
date: Tue, 10 Dec 2024 18:19:27 +0400
description:
QUIC: fixed accessing a released stream.

While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively. This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream. If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.

---
src/event/quic/ngx_event_quic_streams.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
index 178b805e4..a9a21f578 100644
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -174,7 +174,7 @@ ngx_int_t
ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
{
ngx_pool_t *pool;
- ngx_queue_t *q;
+ ngx_queue_t *q, posted_events;
ngx_rbtree_t *tree;
ngx_connection_t *sc;
ngx_rbtree_node_t *node;
@@ -197,6 +197,8 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
return NGX_OK;
}

+ ngx_queue_init(&posted_events);
+
node = ngx_rbtree_min(tree->root, tree->sentinel);

while (node) {
@@ -213,15 +215,21 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
}

sc->read->error = 1;
+ sc->read->ready = 1;
sc->write->error = 1;
-
- ngx_quic_set_event(sc->read);
- ngx_quic_set_event(sc->write);
+ sc->write->ready = 1;

sc->close = 1;
- sc->read->handler(sc->read);
+
+ if (sc->read->posted) {
+ ngx_delete_posted_event(sc->read);
+ }
+
+ ngx_post_event(sc->read, &posted_events);
}

+ ngx_event_process_posted((ngx_cycle_t *) ngx_cycle, &posted_events);
+
if (tree->root == tree->sentinel) {
return NGX_OK;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] QUIC: fixed accessing a released stream.

Anonymous User 190 December 27, 2024 07:16AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 134
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready