aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRoman Arutyunyan <arut@nginx.com>2024-05-28 17:19:21 +0400
committerRoman Arutyunyan <arut@nginx.com>2024-05-28 17:19:21 +0400
commit9ddc6a08f4c83db5acc0a74c223ddf75a44b726d (patch)
treed6c5042b57d231e07319e732aff8769af11b2a76 /src
parent6f8c520f497edfe26f46ef6da6699174df5b3da4 (diff)
downloadnginx-9ddc6a08f4c83db5acc0a74c223ddf75a44b726d.tar.gz
nginx-9ddc6a08f4c83db5acc0a74c223ddf75a44b726d.zip
QUIC: ngx_quic_buffer_t use-after-free protection.
Previously the last chain field of ngx_quic_buffer_t could still reference freed chains and buffers after calling ngx_quic_free_buffer(). While normally an ngx_quic_buffer_t object should not be used after freeing, resetting last_chain field would prevent a potential use-after-free.
Diffstat (limited to 'src')
-rw-r--r--src/event/quic/ngx_event_quic_frames.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
index 42b7d9f41..6ea908cc1 100644
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -648,6 +648,7 @@ ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb)
ngx_quic_free_chain(c, qb->chain);
qb->chain = NULL;
+ qb->last_chain = NULL;
}