From: Valentin Bartenev Date: Fri, 28 Mar 2014 16:05:07 +0000 (+0400) Subject: SPDY: fixed the DATA frame length handling in case of some errors. X-Git-Tag: release-1.5.13~19 X-Git-Url: http://git.kaiwu.me/sitemap.xml?a=commitdiff_plain;h=afb92a8127d30e7c4ff6387a9b9761924b134940;p=nginx.git SPDY: fixed the DATA frame length handling in case of some errors. There are a few cases in ngx_http_spdy_state_read_data() related to error handling when ngx_http_spdy_state_skip() might be called with an inconsistent state between *pos and sc->length, that leads to violation of frame layout parsing and resuted in corruption of spdy connection. Based on a patch by Xiaochen Wang. --- diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index 9c80febaf..bada9c8f6 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos, complete = 1; } else { - sc->length -= size; complete = 0; } @@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos, } } + sc->length -= size; + if (tf) { buf->start = pos; buf->pos = pos;