diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2014-04-30 20:34:20 +0400 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2014-04-30 20:34:20 +0400 |
| commit | a785be76f62ef76683034b4df99e0f353bb58921 (patch) | |
| tree | 75e0b57e12b35e263d9acfa6b8ffa0a18c20ace6 /src | |
| parent | 3f023a419394ac82d5a8454673ac9e117856c4e4 (diff) | |
| download | nginx-a785be76f62ef76683034b4df99e0f353bb58921.tar.gz nginx-a785be76f62ef76683034b4df99e0f353bb58921.zip | |
SPDY: added protection from overrun of the receive buffer.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/ngx_http_spdy.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index e53e3aa9f..810d8d8f4 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1921,6 +1921,14 @@ ngx_http_spdy_state_complete(ngx_http_spdy_connection_t *sc, u_char *pos, ngx_log_debug2(NGX_LOG_DEBUG_HTTP, sc->connection->log, 0, "spdy frame complete pos:%p end:%p", pos, end); + if (pos > end) { + ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0, + "receive buffer overrun"); + + ngx_debug_point(); + return ngx_http_spdy_state_internal_error(sc); + } + sc->handler = ngx_http_spdy_state_head; sc->stream = NULL; |