details: http://hg.nginx.org/nginx/rev/8b0553239592
branches:
changeset: 7203:8b0553239592
user: Ruslan Ermilov <r...@nginx.com>
date: Fri Feb 09 23:20:08 2018 +0300
description:
HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().
This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.
Found by Coverity (CID 1429156).
diffstat:
src/http/v2/ngx_http_v2_filter_module.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diffs (16 lines):
diff -r a49af443656f -r 8b0553239592 src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c Thu Feb 08 12:11:30 2018 +0300
+++ b/src/http/v2/ngx_http_v2_filter_module.c Fri Feb 09 23:20:08 2018 +0300
@@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_reque
host = r->headers_in.host;
- if (authority->len == 0 && host) {
+ if (host == NULL) {
+ return NGX_ABORT;
+ }
+
+ if (authority->len == 0) {
len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
