diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-05-28 17:19:21 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2024-05-28 17:19:21 +0400 |
| commit | 0e7702e06655e3b439be8fbcd57bc91539912c2f (patch) | |
| tree | 5d4bcaa76e6d487a22729e74af37c0dcd1af8651 | |
| parent | 376f12e40adc83859a4ddea21d27d7c053ce02f8 (diff) | |
| download | nginx-0e7702e06655e3b439be8fbcd57bc91539912c2f.tar.gz nginx-0e7702e06655e3b439be8fbcd57bc91539912c2f.tar.bz2 | |
QUIC: ngx_quic_buffer_t use-after-free protection.
Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer(). While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.
| -rw-r--r-- | src/event/quic/ngx_event_quic_frames.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c index 42b7d9f41..6ea908cc1 100644 --- a/src/event/quic/ngx_event_quic_frames.c +++ b/src/event/quic/ngx_event_quic_frames.c @@ -648,6 +648,7 @@ ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb) ngx_quic_free_chain(c, qb->chain); qb->chain = NULL; + qb->last_chain = NULL; } |