QUIC: fixed null pointer dereference in MAX_DATA handler.

If a MAX_DATA frame was received before any stream was created, then the worker process would crash in nginx_quic_handle_max_data_frame() while traversing the stream tree. The issue is solved by adding a check that makes sure the tree is not empty.
author: Mariano Di Martino <mariano.dimartino@uhasselt.be> 2021-09-03 14:23:50 +0300
committer: Mariano Di Martino <mariano.dimartino@uhasselt.be> 2021-09-03 14:23:50 +0300
commit: 9985ab86bf0eb3a58f26d0396c1828d4a70faf03 (patch)
tree: fea26336873b5bd9c2ca5eed1fbe09d32124c9fc /src
parent: 47c993da63a1351193207588d7f9ef1327b1744b (diff)
download: nginx-9985ab86bf0eb3a58f26d0396c1828d4a70faf03.tar.gz
nginx-9985ab86bf0eb3a58f26d0396c1828d4a70faf03.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
index bff41b20c..ef8a9df47 100644
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -1000,7 +1000,9 @@ ngx_quic_handle_max_data_frame(ngx_connection_t *c,
         return NGX_OK;
     }
 
-    if (qc->streams.sent >= qc->streams.send_max_data) {
+    if (tree->root != tree->sentinel
+        && qc->streams.sent >= qc->streams.send_max_data)
+    {
 
         for (node = ngx_rbtree_min(tree->root, tree->sentinel);
              node;
author	Mariano Di Martino <mariano.dimartino@uhasselt.be>	2021-09-03 14:23:50 +0300
committer	Mariano Di Martino <mariano.dimartino@uhasselt.be>	2021-09-03 14:23:50 +0300
commit	9985ab86bf0eb3a58f26d0396c1828d4a70faf03 (patch)
tree	fea26336873b5bd9c2ca5eed1fbe09d32124c9fc /src
parent	47c993da63a1351193207588d7f9ef1327b1744b (diff)
download	nginx-9985ab86bf0eb3a58f26d0396c1828d4a70faf03.tar.gz nginx-9985ab86bf0eb3a58f26d0396c1828d4a70faf03.tar.bz2