[nginx] QUIC: ngx_quic_buffer_t use-after-free protection.

Sergey Kandaurov pluknet at nginx.com
Wed May 29 14:58:27 UTC 2024


details:   https://hg.nginx.org/nginx/rev/b32b516f36b1
branches:  stable-1.26
changeset: 9265:b32b516f36b1
user:      Roman Arutyunyan <arut at nginx.com>
date:      Tue May 28 17:19:21 2024 +0400
description:
QUIC: ngx_quic_buffer_t use-after-free protection.

Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.

diffstat:

 src/event/quic/ngx_event_quic_frames.c |  1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diffs (11 lines):

diff -r e4e9d7003b31 -r b32b516f36b1 src/event/quic/ngx_event_quic_frames.c
--- a/src/event/quic/ngx_event_quic_frames.c	Tue May 28 17:19:08 2024 +0400
+++ b/src/event/quic/ngx_event_quic_frames.c	Tue May 28 17:19:21 2024 +0400
@@ -648,6 +648,7 @@ ngx_quic_free_buffer(ngx_connection_t *c
     ngx_quic_free_chain(c, qb->chain);
 
     qb->chain = NULL;
+    qb->last_chain = NULL;
 }
 
 


More information about the nginx-devel mailing list