]> git.kaiwu.me - nginx.git/commitdiff
Revert "HTTP/2: fixed overlapping memcpy in CONTINUATION frames"
authorAndrew Clayton <a.clayton@nginx.com>
Mon, 29 Jun 2026 18:03:32 +0000 (19:03 +0100)
committerAndrew Clayton <a.clayton@nginx.com>
Mon, 29 Jun 2026 19:22:32 +0000 (20:22 +0100)
This reverts commit 2d71bdcf8b34d9a44608920e34f2d031b3a938b6.

This is actually unnecessary. Thanks to Valentin Bartenev for the
analysis

1. ngx_http_v2_handle_continuation() handles split HPACK integers at
   frame boundaries
2. HPACK integers are max 4 bytes (NGX_HTTP_V2_INT_OCTETS)
3. The function is only called when length < 4 (i.e., 1-3 bytes remain)
4. The copy destination is offset by 9 bytes (frame header size)

Since 3 < 9, source and destination never overlap.

src/http/v2/ngx_http_v2.c

index 7b1efa3ec9c84f1c5af46ba856365c897ddc1a8a..69cb0ae09a6629cc032e8cca7d7b8e0532971f76 100644 (file)
@@ -1967,7 +1967,7 @@ ngx_http_v2_handle_continuation(ngx_http_v2_connection_t *h2c, u_char *pos,
     p = pos;
     pos += NGX_HTTP_V2_FRAME_HEADER_SIZE;
 
-    ngx_memmove(pos, p, len);
+    ngx_memcpy(pos, p, len);
 
     len = ngx_http_v2_parse_length(head);