From: Mariano Di Martino Date: Fri, 3 Sep 2021 11:23:50 +0000 (+0300) Subject: QUIC: fixed null pointer dereference in MAX_DATA handler. X-Git-Tag: release-1.25.0~4^2~268 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=9985ab86bf0eb3a58f26d0396c1828d4a70faf03;p=nginx.git QUIC: fixed null pointer dereference in MAX_DATA handler. If a MAX_DATA frame was received before any stream was created, then the worker process would crash in nginx_quic_handle_max_data_frame() while traversing the stream tree. The issue is solved by adding a check that makes sure the tree is not empty. --- diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c index bff41b20c..ef8a9df47 100644 --- a/src/event/quic/ngx_event_quic_streams.c +++ b/src/event/quic/ngx_event_quic_streams.c @@ -1000,7 +1000,9 @@ ngx_quic_handle_max_data_frame(ngx_connection_t *c, return NGX_OK; } - if (qc->streams.sent >= qc->streams.send_max_data) { + if (tree->root != tree->sentinel + && qc->streams.sent >= qc->streams.send_max_data) + { for (node = ngx_rbtree_min(tree->root, tree->sentinel); node;