]> git.kaiwu.me - nginx.git/commitdiff
HTTP/3: allocate insert buffer from connection pool
authorRoman Arutyunyan <arut@nginx.com>
Tue, 19 May 2026 11:46:31 +0000 (15:46 +0400)
committerRoman Arutyunyan <arutyunyan.roman@gmail.com>
Wed, 17 Jun 2026 14:40:35 +0000 (07:40 -0700)
Previously, it was allocated from the encoder stream pool.  This could
lead to use-after-free if the stream was closed and another encoder
stream was opened.

Reported by Trung Nguyen (@everping) of CyStack.

src/http/v3/ngx_http_v3_table.c

index eac3da6bc9ce5238e5c19aa28f1dd4dae6e8f40a..c8255278f0a57b22164394df8f976f9bd7306be1 100644 (file)
@@ -168,7 +168,7 @@ ngx_http_v3_get_insert_buffer(ngx_connection_t *c)
     if (dt->insert_buffer == NULL) {
         h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
 
-        dt->insert_buffer = ngx_create_temp_buf(c->pool,
+        dt->insert_buffer = ngx_create_temp_buf(c->quic->parent->pool,
                                                 h3scf->max_table_capacity);
         if (dt->insert_buffer == NULL) {
             return NULL;