[nginx] HTTP/2: refuse streams with data until SETTINGS is acknowledged.

Valentin Bartenev vbart at nginx.com
Thu Apr 14 12:25:34 UTC 2016


details:   http://hg.nginx.org/nginx/rev/0aa07850922f
branches:  
changeset: 6514:0aa07850922f
user:      Valentin Bartenev <vbart at nginx.com>
date:      Thu Apr 14 15:14:15 2016 +0300
description:
HTTP/2: refuse streams with data until SETTINGS is acknowledged.

A client is allowed to send requests before receiving and acknowledging
the SETTINGS frame.  Such a client having a wrong idea about the stream's
could send the request body that nginx isn't ready to process.

The previous behavior was to send RST_STREAM with FLOW_CONTROL_ERROR in
such case, but it didn't allow retrying requests that have been rejected.

diffstat:

 src/http/v2/ngx_http_v2.c |  8 +++++++-
 src/http/v2/ngx_http_v2.h |  1 +
 2 files changed, 8 insertions(+), 1 deletions(-)

diffs (36 lines):

diff -r 80ba811112ed -r 0aa07850922f src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Thu Apr 14 15:14:15 2016 +0300
+++ b/src/http/v2/ngx_http_v2.c	Thu Apr 14 15:14:15 2016 +0300
@@ -1058,6 +1058,12 @@ ngx_http_v2_state_headers(ngx_http_v2_co
         goto rst_stream;
     }
 
+    if (!h2c->settings_ack && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG))
+    {
+        status = NGX_HTTP_V2_REFUSED_STREAM;
+        goto rst_stream;
+    }
+
     node = ngx_http_v2_get_node_by_id(h2c, h2c->state.sid, 1);
 
     if (node == NULL) {
@@ -1878,7 +1884,7 @@ ngx_http_v2_state_settings(ngx_http_v2_c
             return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
         }
 
-        /* TODO settings acknowledged */
+        h2c->settings_ack = 1;
 
         return ngx_http_v2_state_complete(h2c, pos, end);
     }
diff -r 80ba811112ed -r 0aa07850922f src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h	Thu Apr 14 15:14:15 2016 +0300
+++ b/src/http/v2/ngx_http_v2.h	Thu Apr 14 15:14:15 2016 +0300
@@ -141,6 +141,7 @@ struct ngx_http_v2_connection_s {
     ngx_uint_t                       last_sid;
 
     unsigned                         closed_nodes:8;
+    unsigned                         settings_ack:1;
     unsigned                         blocked:1;
 };
 



More information about the nginx-devel mailing list