SPDY: detect premature closing of stream.

The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.

1 files changed, 13 insertions, 4 deletions

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
index bada9c8f6..92f2a00c6 100644
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -1609,6 +1609,19 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
 
         stream->in_closed = 1;
 
+        if (r->headers_in.content_length_n < 0) {
+            r->headers_in.content_length_n = rb->rest;
+
+        } else if (r->headers_in.content_length_n != rb->rest) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client prematurely closed stream: "
+                          "%O of %O bytes of request body received",
+                          rb->rest, r->headers_in.content_length_n);
+
+            stream->skip_data = NGX_SPDY_DATA_ERROR;
+            goto error;
+        }
+
         if (tf) {
             ngx_memzero(buf, sizeof(ngx_buf_t));
 
@@ -1619,10 +1632,6 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
             rb->buf = NULL;
         }
 
-        if (r->headers_in.content_length_n < 0) {
-            r->headers_in.content_length_n = rb->rest;
-        }
-
         if (rb->post_handler) {
             r->read_event_handler = ngx_http_block_reading;
             rb->post_handler(r);