[nginx] HTTP/2: backed out 16905ecbb49e (ticket #822).

Valentin Bartenev vbart at nginx.com
Thu Nov 5 12:01:45 UTC 2015


details:   http://hg.nginx.org/nginx/rev/0f4b7800e681
branches:  
changeset: 6288:0f4b7800e681
user:      Valentin Bartenev <vbart at nginx.com>
date:      Thu Nov 05 15:01:01 2015 +0300
description:
HTTP/2: backed out 16905ecbb49e (ticket #822).

It caused inconsistency between setting "in_closed" flag and the moment when
the last DATA frame was actually read.  As a result, the body buffer might not
be initialized properly in ngx_http_v2_init_request_body(), which led to a
segmentation fault in ngx_http_v2_state_read_data().  Also it might cause
start processing of incomplete body.

This issue could be triggered when the processing of a request was delayed,
e.g. in the limit_req or auth_request modules.

diffstat:

 src/http/v2/ngx_http_v2.c |  8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diffs (32 lines):

diff -r 4ccb37b04454 -r 0f4b7800e681 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Fri Oct 30 21:43:30 2015 +0300
+++ b/src/http/v2/ngx_http_v2.c	Thu Nov 05 15:01:01 2015 +0300
@@ -870,8 +870,6 @@ ngx_http_v2_state_data(ngx_http_v2_conne
         return ngx_http_v2_state_skip_padded(h2c, pos, end);
     }
 
-    stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG;
-
     h2c->state.stream = stream;
 
     return ngx_http_v2_state_read_data(h2c, pos, end);
@@ -899,6 +897,8 @@ ngx_http_v2_state_read_data(ngx_http_v2_
     }
 
     if (stream->skip_data) {
+        stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG;
+
         ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
                        "skipping http2 DATA frame, reason: %d",
                        stream->skip_data);
@@ -988,7 +988,9 @@ ngx_http_v2_state_read_data(ngx_http_v2_
                                       ngx_http_v2_state_read_data);
     }
 
-    if (stream->in_closed) {
+    if (h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) {
+        stream->in_closed = 1;
+
         if (r->headers_in.content_length_n < 0) {
             r->headers_in.content_length_n = rb->rest;
 



More information about the nginx-devel mailing list