> On 1 Aug 2023, at 11:45, Roman Arutyunyan <a...@nginx.com> wrote:
>
> # HG changeset patch
> # User Roman Arutyunyan <a...@nginx.com>
> # Date 1690874404 -14400
> # Tue Aug 01 11:20:04 2023 +0400
> # Node ID 5b91a40f2dd249000e9208a0152dc5cc0c6ea0c4
> # Parent 4f078be6e2ed08643371a3956f5f18f2357a38db
> QUIC: avoid accessing freed frame.
>
> Previously the field pnum of a potentially freed frame was accessed. Now the
> value is copied to a local variable. The old behavior did not cause any
> problems since the frame memory is not freed, but is moved to a free queue
> instead.
>
> diff --git a/src/event/quic/ngx_event_quic_ack.c
> b/src/event/quic/ngx_event_quic_ack.c
> --- a/src/event/quic/ngx_event_quic_ack.c
> +++ b/src/event/quic/ngx_event_quic_ack.c
> @@ -548,6 +548,7 @@ ngx_quic_persistent_congestion(ngx_conne
> void
> ngx_quic_resend_frames(ngx_connection_t *c, ngx_quic_send_ctx_t *ctx)
> {
> + uint64_t pnum;
> ngx_queue_t *q;
> ngx_quic_frame_t *f, *start;
> ngx_quic_stream_t *qs;
> @@ -556,6 +557,7 @@ ngx_quic_resend_frames(ngx_connection_t
> qc = ngx_quic_get_connection(c);
> q = ngx_queue_head(&ctx->sent);
> start = ngx_queue_data(q, ngx_quic_frame_t, queue);
> + pnum = start->pnum;
>
> ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
> "quic resend packet pnum:%uL", start->pnum);
> @@ -565,7 +567,7 @@ ngx_quic_resend_frames(ngx_connection_t
> do {
> f = ngx_queue_data(q, ngx_quic_frame_t, queue);
>
> - if (f->pnum != start->pnum) {
> + if (f->pnum != pnum) {
> break;
> }
>
Looks good.
--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
