details: http://hg.nginx.org/nginx/rev/0708285115fa branches: stable-1.10 changeset: 6752:0708285115fa user: Valentin Bartenev <vb...@nginx.com> date: Thu Jun 16 20:55:11 2016 +0300 description: HTTP/2: fixed a segfault while processing unbuffered upload.
The ngx_http_v2_finalize_connection() closes current stream, but that is an invalid operation while processing unbuffered upload. This results in access to already freed memory, since the upstream module sets a cleanup handler that also finalizes the request. diffstat: src/http/v2/ngx_http_v2.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) diffs (14 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -4169,10 +4169,6 @@ ngx_http_v2_finalize_connection(ngx_http c->error = 1; - if (h2c->state.stream) { - ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); - } - if (!h2c->processing) { ngx_http_close_connection(c); return; _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel