nginx.git/src/http/modules, branch release-1.14.2

Mp4: fixed possible pointer overflow on 32-bit platforms.

2018-11-21T17:23:16+00:00

On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code.  In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.

To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end.  This ensures that overflow cannot happen.

gRPC: disabled keepalive when sending control frames was blocked.

2018-09-03T16:34:02+00:00

If sending request body was not completed (u->request_body_sent is not set),
the upstream keepalive module won't save such a connection.  However, it
is theoretically possible (though highly unlikely) that sending of some
control frames can be blocked after the request body was sent.  The
ctx->output_blocked flag introduced to disable keepalive in such cases.

gRPC: improved keepalive handling.

2018-09-03T16:34:01+00:00

The code is now able to parse additional control frames after
the response is received, and can send control frames as well.
This fixes keepalive problems as observed with grpc-c, which can
send window update and ping frames after the response, see
http://mailman.nginx.org/pipermail/nginx/2018-August/056620.html.

gRPC: clearing buffers in ngx_http_grpc_get_buf().

2018-07-02T16:02:08+00:00

We copy input buffers to our buffers, so various flags might be
unexpectedly set in buffers returned by ngx_chain_get_free_buf().

In particular, the b->in_file flag might be set when the body was
written to a file in a different context.  With sendfile enabled this
in turn might result in protocol corruption if such a buffer was reused
for a control frame.

Make sure to clear buffers and set only fields we really need to be set.

Silenced -Wcast-function-type warnings (closes #1546).

2018-05-07T09:54:37+00:00

Cast to intermediate "void *" to lose compiler knowledge about the original
type and pass the warning.  This is not a real fix but rather a workaround.

Found by gcc8.

gRPC: limited allocations due to ping and settings frames.

2018-11-06T13:29:59+00:00

Mp4: fixed reading 64-bit atoms.

2018-11-06T13:29:18+00:00

Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.

gRPC: fixed possible sign extension of error and setting_value.

2018-03-22T16:26:25+00:00

All cases are harmless and should not happen on valid values, though can
result in bad values being shown incorrectly in logs.

Found by Coverity (CID 1430311, 1430312, 1430313).

gRPC: fixed missing state save in frame header parsing.

2018-03-20T12:58:11+00:00

Previously, frame state wasn't saved if HEADERS frame payload
that begins with header fragment was not received at once.

gRPC: fixed parsing response headers split on CONTINUATION frames.

2018-03-19T13:42:56+00:00