HTTP/3: skip empty request body buffers (ticket #2374).

When client DATA frame header and its content come in different QUIC packets,
it may happen that only the header is processed by the first
ngx_http_v3_request_body_filter() call.  In this case an empty request body
buffer is added to r->request_body->bufs, which is later reused in a
subsequent ngx_http_v3_request_body_filter() call without being removed from
the body chain.  As a result, rb->request_body->bufs ends up with two copies of
the same buffer.

The fix is to avoid adding empty request body buffers to r->request_body->bufs.

1 files changed, 9 insertions, 7 deletions

diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
index 4dbda3596..14802249b 100644
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -1552,15 +1552,17 @@ ngx_http_v3_request_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
                 }
 
                 /* rc == NGX_OK */
-            }
 
-            if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
-                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
-                              "client intended to send too large "
-                              "body: %O+%ui bytes",
-                              rb->received, st->length);
+                if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
+                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                  "client intended to send too large "
+                                  "body: %O+%ui bytes",
+                                  rb->received, st->length);
 
-                return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE;
+                    return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE;
+                }
+
+                continue;
             }
 
             if (b