details: http://hg.nginx.org/nginx/rev/22ee99422329 branches: changeset: 6271:22ee99422329 user: Piotr Sikora <piotrsik...@google.com> date: Thu Oct 01 20:25:55 2015 -0700 description: HTTP/2: reject self-dependent streams.
Per RFC7540, a stream cannot depend on itself. Previously, this requirement was enforced on PRIORITY frames, but not on HEADERS frames and due to the implementation details nginx worker would crash (stack overflow) while opening self-dependent stream. Found with afl-fuzz. Signed-off-by: Piotr Sikora <piotrsik...@google.com> diffstat: src/http/v2/ngx_http_v2.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diffs (26 lines): diff -r e769cc88f996 -r 22ee99422329 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Oct 23 18:21:33 2015 -0700 +++ b/src/http/v2/ngx_http_v2.c Thu Oct 01 20:25:55 2015 -0700 @@ -1133,6 +1133,22 @@ ngx_http_v2_state_headers(ngx_http_v2_co h2c->last_sid = h2c->state.sid; + if (depend == h2c->state.sid) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent HEADERS frame for stream %ui " + "with incorrect dependency", h2c->state.sid); + + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, + NGX_HTTP_V2_PROTOCOL_ERROR) + != NGX_OK) + { + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_INTERNAL_ERROR); + } + + return ngx_http_v2_state_skip_headers(h2c, pos, end); + } + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, ngx_http_v2_module); _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel