diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-07-02 19:02:08 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-07-02 19:02:08 +0300 |
| commit | d842b4e5e0ebda87559d804de29dd56bd4cbc4dc (patch) | |
| tree | 9a8a5ec584bb7838390aac34084dd338d46c450b /src/http/modules/ngx_http_grpc_module.c | |
| parent | 468e37734c48e63296e9f633fd6319519b5f8c74 (diff) | |
| download | nginx-d842b4e5e0ebda87559d804de29dd56bd4cbc4dc.tar.gz nginx-d842b4e5e0ebda87559d804de29dd56bd4cbc4dc.zip | |
gRPC: clearing buffers in ngx_http_grpc_get_buf().
We copy input buffers to our buffers, so various flags might be
unexpectedly set in buffers returned by ngx_chain_get_free_buf().
In particular, the b->in_file flag might be set when the body was
written to a file in a different context. With sendfile enabled this
in turn might result in protocol corruption if such a buffer was reused
for a control frame.
Make sure to clear buffers and set only fields we really need to be set.
Diffstat (limited to 'src/http/modules/ngx_http_grpc_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_grpc_module.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c index 300d92704..0baa85f28 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -3868,6 +3868,7 @@ ngx_http_grpc_send_window_update(ngx_http_request_t *r, static ngx_chain_t * ngx_http_grpc_get_buf(ngx_http_request_t *r, ngx_http_grpc_ctx_t *ctx) { + u_char *start; ngx_buf_t *b; ngx_chain_t *cl; @@ -3877,29 +3878,33 @@ ngx_http_grpc_get_buf(ngx_http_request_t *r, ngx_http_grpc_ctx_t *ctx) } b = cl->buf; + start = b->start; - b->tag = (ngx_buf_tag_t) &ngx_http_grpc_body_output_filter; - b->temporary = 1; - b->flush = 1; - - if (b->start == NULL) { + if (start == NULL) { /* * each buffer is large enough to hold two window update * frames in a row */ - b->start = ngx_palloc(r->pool, 2 * sizeof(ngx_http_grpc_frame_t) + 8); - if (b->start == NULL) { + start = ngx_palloc(r->pool, 2 * sizeof(ngx_http_grpc_frame_t) + 8); + if (start == NULL) { return NULL; } - b->pos = b->start; - b->last = b->start; - - b->end = b->start + 2 * sizeof(ngx_http_grpc_frame_t) + 8; } + ngx_memzero(b, sizeof(ngx_buf_t)); + + b->start = start; + b->pos = start; + b->last = start; + b->end = start + 2 * sizeof(ngx_http_grpc_frame_t) + 8; + + b->tag = (ngx_buf_tag_t) &ngx_http_grpc_body_output_filter; + b->temporary = 1; + b->flush = 1; + return cl; } |