[nginx] HTTP/2: fixed socket leak with an incomplete HEADERS frame.

Sergey Kandaurov pluknet at nginx.com
Wed Feb 5 15:10:08 UTC 2020


details:   https://hg.nginx.org/nginx/rev/72b792bb3885
branches:  
changeset: 7623:72b792bb3885
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Wed Feb 05 16:29:23 2020 +0300
description:
HTTP/2: fixed socket leak with an incomplete HEADERS frame.

A connection could get stuck without timers if a client has partially sent
the HEADERS frame such that it was split on the individual header boundary.
In this case, it cannot be processed without the rest of the HEADERS frame.

The fix is to call ngx_http_v2_state_headers_save() in this case.  Normally,
it would be called from the ngx_http_v2_state_header_block() handler on the
next iteration, when there is not enough data to continue processing.  This
isn't the case if recv_buffer became empty and there's no more data to read.

diffstat:

 src/http/v2/ngx_http_v2.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (19 lines):

diff -r 2955192fb210 -r 72b792bb3885 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Wed Feb 05 16:29:14 2020 +0300
+++ b/src/http/v2/ngx_http_v2.c	Wed Feb 05 16:29:23 2020 +0300
@@ -1719,8 +1719,13 @@ ngx_http_v2_state_header_complete(ngx_ht
     ngx_http_v2_stream_t  *stream;
 
     if (h2c->state.length) {
-        h2c->state.handler = ngx_http_v2_state_header_block;
-        return pos;
+        if (end - pos > 0) {
+            h2c->state.handler = ngx_http_v2_state_header_block;
+            return pos;
+        }
+
+        return ngx_http_v2_state_headers_save(h2c, pos, end,
+                                              ngx_http_v2_state_header_block);
     }
 
     if (!(h2c->state.flags & NGX_HTTP_V2_END_HEADERS_FLAG)) {


More information about the nginx-devel mailing list