From: Piotr Sikora Date: Fri, 2 Oct 2015 03:25:55 +0000 (-0700) Subject: HTTP/2: fix handling of connection errors. X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=f93aa4d953d2ec0c3c6f5f56f41ed0b14a8c1c33;p=nginx.git HTTP/2: fix handling of connection errors. Previously, nginx worker would crash because of a double free if client disconnected or timed out before sending all headers. Found with afl-fuzz. Signed-off-by: Piotr Sikora --- diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 51cf65a88..32da12f52 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -2377,12 +2377,6 @@ ngx_http_v2_connection_error(ngx_http_v2_connection_t *h2c, ngx_debug_point(); } - if (h2c->state.stream) { - h2c->state.stream->out_closed = 1; - h2c->state.pool = NULL; - ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); - } - ngx_http_v2_finalize_connection(h2c, err); return NULL; @@ -3814,6 +3808,12 @@ ngx_http_v2_finalize_connection(ngx_http_v2_connection_t *h2c, c = h2c->connection; + if (h2c->state.stream) { + h2c->state.stream->out_closed = 1; + h2c->state.pool = NULL; + ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST); + } + h2c->blocked = 1; if (!c->error && ngx_http_v2_send_goaway(h2c, status) != NGX_ERROR) {