nginx.git/src, branch release-1.17.3 nginx HTTP/2: limited number of PRIORITY frames. 2019-08-13T12:43:40+00:00 Ruslan Ermilov ru@nginx.com 2019-08-13T12:43:40+00:00 5ae726912654da10a9a81b2c8436829f3e94f69f Fixed excessive CPU usage caused by a peer that continuously shuffles priority of streams. Fix is to limit the number of PRIORITY frames. 
Fixed excessive CPU usage caused by a peer that continuously shuffles
priority of streams.  Fix is to limit the number of PRIORITY frames.
HTTP/2: limited number of DATA frames. 2019-08-13T12:43:36+00:00 Ruslan Ermilov ru@nginx.com 2019-08-13T12:43:36+00:00 a987f81dd19210bc30b62591db331e31d3d74089 Fixed excessive memory growth and CPU usage if stream windows are manipulated in a way that results in generating many small DATA frames. Fix is to limit the number of simultaneously allocated DATA frames. 
Fixed excessive memory growth and CPU usage if stream windows are
manipulated in a way that results in generating many small DATA frames.
Fix is to limit the number of simultaneously allocated DATA frames.
HTTP/2: reject zero length headers with PROTOCOL_ERROR. 2019-08-13T12:43:32+00:00 Sergey Kandaurov pluknet@nginx.com 2019-08-13T12:43:32+00:00 6dfbc8b1c2116f362bb871efebbf9df576738e89 Fixed uncontrolled memory growth if peer sends a stream of headers with a 0-length header name and 0-length header value. Fix is to reject headers with zero name length. 
Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
Mail: fixed duplicate resolving. 2019-08-01T10:50:07+00:00 Maxim Dounin mdounin@mdounin.ru 2019-08-01T10:50:07+00:00 abe660636c93315b4acb8531b83aec8d309d2eca When using SMTP with SSL and resolver, read events might be enabled during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler() calls if something arrives from the client, and duplicate session initialization - including starting another resolving. This can lead to a segmentation fault if the session is closed after first resolving finished. Fix is to block read events while resolving. Reported by Robert Norris, http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html. 
When using SMTP with SSL and resolver, read events might be enabled
during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler()
calls if something arrives from the client, and duplicate session
initialization - including starting another resolving.  This can lead
to a segmentation fault if the session is closed after first resolving
finished.  Fix is to block read events while resolving.

Reported by Robert Norris,
http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html.
Gzip: fixed "zero size buf" alerts after ac5a741d39cf. 2019-07-31T14:29:00+00:00 Maxim Dounin mdounin@mdounin.ru 2019-07-31T14:29:00+00:00 39c40428f93db246a9a27e7a109413fae46e195d After ac5a741d39cf it is now possible that after zstream.avail_out reaches 0 and we allocate additional buffer, there will be no more data to put into this buffer, triggering "zero size buf" alert. Fix is to reset b->temporary flag in this case. Additionally, an optimization added to avoid allocating additional buffer in this case, by checking if last deflate() call returned Z_STREAM_END. Note that checking for Z_STREAM_END by itself is not enough to fix alerts, as deflate() can return Z_STREAM_END without producing any output if the buffer is smaller than gzip trailer. Reported by Witold Filipczyk, http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html. 
After ac5a741d39cf it is now possible that after zstream.avail_out
reaches 0 and we allocate additional buffer, there will be no more data
to put into this buffer, triggering "zero size buf" alert.  Fix is to
reset b->temporary flag in this case.

Additionally, an optimization added to avoid allocating additional buffer
in this case, by checking if last deflate() call returned Z_STREAM_END.
Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
as deflate() can return Z_STREAM_END without producing any output if the
buffer is smaller than gzip trailer.

Reported by Witold Filipczyk,
http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html.
Version bump. 2019-07-31T14:28:41+00:00 Maxim Dounin mdounin@mdounin.ru 2019-07-31T14:28:41+00:00 6179b98ed537e2ad39eff11ee1689bf4700e59af 






Core: fixed memory leak on error, missed in c3f60d618c17.
2019-07-19T14:50:00+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-19T14:50:00+00:00

c3fd5f7e76343c899747ec58ae703540e7e9e69a

Found by Coverity (CID 1451664).





Found by Coverity (CID 1451664).







Xslt: fixed potential buffer overflow with null character.
2019-07-18T15:27:54+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-18T15:27:54+00:00

2187586207e1465d289ae64cedc829719a048a39

Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.





Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.







SSI: avoid potential buffer overflow.
2019-07-18T15:27:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-18T15:27:53+00:00

ad42d70fed67c1e7098055fb25721ab904db2389

When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.





When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.







Upstream: fixed EOF handling in unbuffered and upgraded modes.
2019-07-18T15:27:52+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-18T15:27:52+00:00

20c8c4fe35d290abe298cea9a4f1756fcfec19f4

With level-triggered event methods it is important to specify
the NGX_CLOSE_EVENT flag to ngx_handle_read_event(), otherwise
the event won't be removed, resulting in CPU hog.

Reported by Patrick Wollgast.





With level-triggered event methods it is important to specify
the NGX_CLOSE_EVENT flag to ngx_handle_read_event(), otherwise
the event won't be removed, resulting in CPU hog.

Reported by Patrick Wollgast.