details: http://hg.nginx.org/nginx/rev/a24f88eff684
branches:
changeset: 5628:a24f88eff684
user: Valentin Bartenev <vb...@nginx.com>
date: Fri Mar 28 20:22:57 2014 +0400
description:
SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.
This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
diffstat:
src/http/ngx_http_spdy.c | 17 +++++++++++++----
1 files changed, 13 insertions(+), 4 deletions(-)
diffs (34 lines):
diff -r d74889fbf06d -r a24f88eff684 src/http/ngx_http_spdy.c
--- a/src/http/ngx_http_spdy.c Fri Mar 28 20:05:07 2014 +0400
+++ b/src/http/ngx_http_spdy.c Fri Mar 28 20:22:57 2014 +0400
@@ -1609,6 +1609,19 @@ ngx_http_spdy_state_read_data(ngx_http_s
stream->in_closed = 1;
+ if (r->headers_in.content_length_n < 0) {
+ r->headers_in.content_length_n = rb->rest;
+
+ } else if (r->headers_in.content_length_n != rb->rest) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client prematurely closed stream: "
+ "%O of %O bytes of request body received",
+ rb->rest, r->headers_in.content_length_n);
+
+ stream->skip_data = NGX_SPDY_DATA_ERROR;
+ goto error;
+ }
+
if (tf) {
ngx_memzero(buf, sizeof(ngx_buf_t));
@@ -1619,10 +1632,6 @@ ngx_http_spdy_state_read_data(ngx_http_s
rb->buf = NULL;
}
- if (r->headers_in.content_length_n < 0) {
- r->headers_in.content_length_n = rb->rest;
- }
-
if (rb->post_handler) {
r->read_event_handler = ngx_http_block_reading;
rb->post_handler(r);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
