[nginx] HTTP/2: fix handling of connection errors.

Valentin Bartenev vbart at nginx.com
Mon Oct 26 14:39:33 UTC 2015


details:   http://hg.nginx.org/nginx/rev/60f916da7294
branches:  
changeset: 6273:60f916da7294
user:      Piotr Sikora <piotrsikora at google.com>
date:      Thu Oct 01 20:25:55 2015 -0700
description:
HTTP/2: fix handling of connection errors.

Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora at google.com>

diffstat:

 src/http/v2/ngx_http_v2.c |  12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diffs (29 lines):

diff -r b6a665bf858a -r 60f916da7294 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Thu Oct 01 20:25:55 2015 -0700
+++ b/src/http/v2/ngx_http_v2.c	Thu Oct 01 20:25:55 2015 -0700
@@ -2377,12 +2377,6 @@ ngx_http_v2_connection_error(ngx_http_v2
         ngx_debug_point();
     }
 
-    if (h2c->state.stream) {
-        h2c->state.stream->out_closed = 1;
-        h2c->state.pool = NULL;
-        ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST);
-    }
-
     ngx_http_v2_finalize_connection(h2c, err);
 
     return NULL;
@@ -3814,6 +3808,12 @@ ngx_http_v2_finalize_connection(ngx_http
 
     c = h2c->connection;
 
+    if (h2c->state.stream) {
+        h2c->state.stream->out_closed = 1;
+        h2c->state.pool = NULL;
+        ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST);
+    }
+
     h2c->blocked = 1;
 
     if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) {



More information about the nginx-devel mailing list