diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2014-03-28 20:05:07 +0400 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2014-03-28 20:05:07 +0400 |
| commit | afb92a8127d30e7c4ff6387a9b9761924b134940 (patch) | |
| tree | 02d1feaaef48dda559580d08ab4ac6b5ff129b26 /src | |
| parent | de3c7a825ee446fe4e0dc84df3d57bfebdf8c6f6 (diff) | |
| download | nginx-afb92a8127d30e7c4ff6387a9b9761924b134940.tar.gz nginx-afb92a8127d30e7c4ff6387a9b9761924b134940.tar.bz2 | |
SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.
Based on a patch by Xiaochen Wang.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/ngx_http_spdy.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index 9c80febaf..bada9c8f6 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos, complete = 1; } else { - sc->length -= size; complete = 0; } @@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos, } } + sc->length -= size; + if (tf) { buf->start = pos; buf->pos = pos; |