[PATCH] SPDY: fixed handling of sc->length in ngx_http_spdy_state_read_data()

Xiaochen Wang wangxiaochen0 at gmail.com
Thu Mar 27 01:02:57 UTC 2014


hi


On Thu, Mar 27, 2014 at 1:01 AM, Valentin V. Bartenev <vbart at nginx.com>wrote:

> On Wednesday 26 March 2014 12:30:11 Xiaochen Wang wrote:
> > In our production, sometimes, the disk was full. In which case, the
> requests
> > after the POST request were handled wrongly in one spdy connection.
> >
> > Because the input body (DATA frame) of POST request could not be written
> to disk,
> > then ngx_http_spdy_state_read_data() tried to skip this DATA frame with
> wrong
> > sc->length, which broke spdy stream.
> >
> [..]
>
> While I agree that there's a problem with sc->length premature adjustment,
> but
> please note that the problem cannot be triggered by the way you described.
>
> The "pos" pointer is adjusted as well right before
> ngx_write_chain_to_temp_file()
> is called.
>

Yes, the pos pointer is right. But sc->length is not adjusted if it
receives a complete DATA frame.
Then ngx_http_spdy_state_skip() skips more data.

ngx_http_spdy_state_read_data
{
...
    if (size >= sc->length) {
        size = sc->length;                  <<< sc->length is not adjusted.
        complete = 1;

    } else {
        sc->length -= size;
        complete = 0;
    }
...
}


>
>   wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140327/914ed05f/attachment.html>


More information about the nginx-devel mailing list