details:   http://hg.nginx.org/nginx/rev/8b0553239592
branches:  
changeset: 7203:8b0553239592
user:      Ruslan Ermilov <r...@nginx.com>
date:      Fri Feb 09 23:20:08 2018 +0300
description:
HTTP/2: fixed null pointer dereference with server push.

r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).

diffstat:

 src/http/v2/ngx_http_v2_filter_module.c |  6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diffs (16 lines):

diff -r a49af443656f -r 8b0553239592 src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c   Thu Feb 08 12:11:30 2018 +0300
+++ b/src/http/v2/ngx_http_v2_filter_module.c   Fri Feb 09 23:20:08 2018 +0300
@@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_reque
 
     host = r->headers_in.host;
 
-    if (authority->len == 0 && host) {
+    if (host == NULL) {
+        return NGX_ABORT;
+    }
+
+    if (authority->len == 0) {
 
         len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;
 
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to