nginx.git/src/http, branch release-1.14.1

gRPC: limited allocations due to ping and settings frames.

2018-11-06T13:29:59+00:00

HTTP/2: limit the number of idle state switches.

2018-11-06T13:29:49+00:00

An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.

HTTP/2: flood detection.

2018-11-06T13:29:35+00:00

Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.

Mp4: fixed reading 64-bit atoms.

2018-11-06T13:29:18+00:00

Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.

Upstream: fixed u->conf->preserve_output (ticket #1519).

2018-04-05T13:56:12+00:00

Previously, ngx_http_upstream_process_header() might be called after
we've finished reading response headers and switched to a different read
event handler, leading to errors with gRPC proxying.  Additionally,
the u->conf->read_timeout timer might be re-armed during reading response
headers (while this is expected to be a single timeout on reading
the whole response header).

Upstream: fixed ngx_http_upstream_test_next() conditions.

2018-04-02T23:43:18+00:00

Previously, ngx_http_upstream_test_next() used an outdated condition on
whether it will be possible to switch to a different server or not.  It
did not take into account restrictions on non-idempotent requests, requests
with non-buffered request body, and the next upstream timeout.

For such requests, switching to the next upstream server was rejected
later in ngx_http_upstream_next(), resulting in nginx own error page
being returned instead of the original upstream response.

gRPC: fixed possible sign extension of error and setting_value.

2018-03-22T16:26:25+00:00

All cases are harmless and should not happen on valid values, though can
result in bad values being shown incorrectly in logs.

Found by Coverity (CID 1430311, 1430312, 1430313).

gRPC: fixed missing state save in frame header parsing.

2018-03-20T12:58:11+00:00

Previously, frame state wasn't saved if HEADERS frame payload
that begins with header fragment was not received at once.

HTTP/2: improved frame info debugging.

2018-03-19T18:32:15+00:00

gRPC: fixed parsing response headers split on CONTINUATION frames.

2018-03-19T13:42:56+00:00