diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-02-14 15:55:37 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2024-02-14 15:55:37 +0400 |
| commit | 5818f8a6693b3c0d95021f2ee58b69dcf848911c (patch) | |
| tree | dfff54f77f94ae3f04976d9646b8fba8941210ff | |
| parent | 5902baf680609f884a1e11ff2b82a0bffb3724cc (diff) | |
| download | nginx-5818f8a6693b3c0d95021f2ee58b69dcf848911c.tar.gz nginx-5818f8a6693b3c0d95021f2ee58b69dcf848911c.zip | |
QUIC: fixed stream cleanup (ticket #2586).
Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
to the connection (sc->connection = NULL). Previously if this call failed,
sc->connection retained the old value, while the connection was freed by the
application code. This resulted later in a second attempt to close the freed
connection, which lead to allocator double free error.
The fix is to reset the sc->connection pointer in case of error.
| -rw-r--r-- | src/event/quic/ngx_event_quic_streams.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c index df04d0f07..178b805e4 100644 --- a/src/event/quic/ngx_event_quic_streams.c +++ b/src/event/quic/ngx_event_quic_streams.c @@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data) "quic stream id:0x%xL cleanup", qs->id); if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) { + qs->connection = NULL; goto failed; } |