details: http://hg.nginx.org/nginx/rev/d74889fbf06d
branches:
changeset: 5627:d74889fbf06d
user: Valentin Bartenev <vb...@nginx.com>
date: Fri Mar 28 20:05:07 2014 +0400
description:
SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.
Based on a patch by Xiaochen Wang.
diffstat:
src/http/ngx_http_spdy.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diffs (20 lines):
diff -r 2411d4b5be2c -r d74889fbf06d src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c Wed Mar 26 18:01:11 2014 +0400
+++ b/src/http/ngx_http_spdy.c Fri Mar 28 20:05:07 2014 +0400
@@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_s
complete = 1;
} else {
- sc->length -= size;
complete = 0;
}
@@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_s
}
}
+ sc->length -= size;
+
if (tf) {
buf->start = pos;
buf->pos = pos;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
