]> git.kaiwu.me - nginx.git/commitdiff
QUIC: fixed null pointer dereference in MAX_DATA handler.
authorMariano Di Martino <mariano.dimartino@uhasselt.be>
Fri, 3 Sep 2021 11:23:50 +0000 (14:23 +0300)
committerMariano Di Martino <mariano.dimartino@uhasselt.be>
Fri, 3 Sep 2021 11:23:50 +0000 (14:23 +0300)
If a MAX_DATA frame was received before any stream was created, then the worker
process would crash in nginx_quic_handle_max_data_frame() while traversing the
stream tree.  The issue is solved by adding a check that makes sure the tree is
not empty.

src/event/quic/ngx_event_quic_streams.c

index bff41b20c828d8e232af9f4d403ccf3792461fe1..ef8a9df47ee48c05e3fb352c6d4daae6ad2e2e90 100644 (file)
@@ -1000,7 +1000,9 @@ ngx_quic_handle_max_data_frame(ngx_connection_t *c,
         return NGX_OK;
     }
 
-    if (qc->streams.sent >= qc->streams.send_max_data) {
+    if (tree->root != tree->sentinel
+        && qc->streams.sent >= qc->streams.send_max_data)
+    {
 
         for (node = ngx_rbtree_min(tree->root, tree->sentinel);
              node;