diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2021-03-23 16:52:23 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2021-03-23 16:52:23 +0300 |
| commit | 11477fb633ddaf299f9be01f43aac322056d98dc (patch) | |
| tree | 4b7462a03933f25c2aff0c10280cfdd7eb43edc2 /src/http/modules/ngx_http_grpc_module.c | |
| parent | 02cca547704f710f26a7480d3fa6b476b0f1dccd (diff) | |
| download | nginx-11477fb633ddaf299f9be01f43aac322056d98dc.tar.gz nginx-11477fb633ddaf299f9be01f43aac322056d98dc.tar.bz2 | |
gRPC: fixed handling of padding on DATA frames.
The response size check introduced in 39501ce97e29 did not take into
account possible padding on DATA frames, resulting in incorrect
"upstream sent response body larger than indicated content length" errors
if upstream server used padding in responses with known length.
Fix is to check the actual size of response buffers produced by the code,
similarly to how it is done in other protocols, instead of checking
the size of DATA frames.
Reported at:
http://mailman.nginx.org/pipermail/nginx-devel/2021-March/013907.html
Diffstat (limited to 'src/http/modules/ngx_http_grpc_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_grpc_module.c | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c index f5bf575c2..53bc54710 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -2074,17 +2074,6 @@ ngx_http_grpc_filter(void *data, ssize_t bytes) return NGX_ERROR; } - if (ctx->length != -1) { - if ((off_t) ctx->rest > ctx->length) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "upstream sent response body larger " - "than indicated content length"); - return NGX_ERROR; - } - - ctx->length -= ctx->rest; - } - if (ctx->rest > ctx->recv_window) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "upstream violated stream flow control, " @@ -2450,6 +2439,18 @@ ngx_http_grpc_filter(void *data, ssize_t bytes) b->pos = b->last; buf->last = b->pos; + if (ctx->length != -1) { + + if (buf->last - buf->pos > ctx->length) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "upstream sent response body larger " + "than indicated content length"); + return NGX_ERROR; + } + + ctx->length -= buf->last - buf->pos; + } + return NGX_AGAIN; } @@ -2457,6 +2458,18 @@ ngx_http_grpc_filter(void *data, ssize_t bytes) buf->last = b->pos; ctx->rest = ctx->padding; + if (ctx->length != -1) { + + if (buf->last - buf->pos > ctx->length) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "upstream sent response body larger " + "than indicated content length"); + return NGX_ERROR; + } + + ctx->length -= buf->last - buf->pos; + } + done: if (ctx->padding) { |