QUIC: fixed split frames error handling.

Do not corrupt frame data chain pointer on ngx_quic_read_buffer() error.
The error leads to closing a QUIC connection where the frame may be used
as part of the QUIC connection tear down, which envolves writing pending
frames, including this one.

1 files changed, 5 insertions, 2 deletions

diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
index 040b6182c..7bcfb3211 100644
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -319,6 +319,7 @@ ngx_int_t
 ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len)
 {
     size_t                     shrink;
+    ngx_chain_t               *out;
     ngx_quic_frame_t          *nf;
     ngx_quic_buffer_t          qb;
     ngx_quic_ordered_frame_t  *of, *onf;
@@ -359,11 +360,13 @@ ngx_quic_split_frame(ngx_connection_t *c, ngx_quic_frame_t *f, size_t len)
     ngx_memzero(&qb, sizeof(ngx_quic_buffer_t));
     qb.chain = f->data;
 
-    f->data = ngx_quic_read_buffer(c, &qb, of->length);
-    if (f->data == NGX_CHAIN_ERROR) {
+    out = ngx_quic_read_buffer(c, &qb, of->length);
+    if (out == NGX_CHAIN_ERROR) {
         return NGX_ERROR;
     }
 
+    f->data = out;
+
     nf = ngx_quic_alloc_frame(c);
     if (nf == NULL) {
         return NGX_ERROR;