HTTP/2: fixed null pointer dereference with server push.

r->headers_in.host can be NULL in ngx_http_v2_push_resource(). This happens when a request is terminated with 400 before the :authority or Host header is parsed, and either pushing is enabled on the server{} level or error_page 400 redirects to a location with pushes configured. Found by Coverity (CID 1429156).
author: Ruslan Ermilov <ru@nginx.com> 2018-02-09 23:20:08 +0300
committer: Ruslan Ermilov <ru@nginx.com> 2018-02-09 23:20:08 +0300
commit: c32d9d28fd94e295b08c289031b5c9640195f9c0 (patch)
tree: 53e889e14f2d8c810c0e5b0d60532640eb104aa7 /src
parent: 09eb20c8a76c0c8e7c70d9e6415a5404589cba51 (diff)
download: nginx-c32d9d28fd94e295b08c289031b5c9640195f9c0.tar.gz
nginx-c32d9d28fd94e295b08c289031b5c9640195f9c0.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index 980ea9271..55e3ca94a 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_request_t *r, ngx_str_t *path,
 
     host = r->headers_in.host;
 
-    if (authority->len == 0 && host) {
+    if (host == NULL) {
+        return NGX_ABORT;
+    }
+
+    if (authority->len == 0) {
 
         len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;
author	Ruslan Ermilov <ru@nginx.com>	2018-02-09 23:20:08 +0300
committer	Ruslan Ermilov <ru@nginx.com>	2018-02-09 23:20:08 +0300
commit	c32d9d28fd94e295b08c289031b5c9640195f9c0 (patch)
tree	53e889e14f2d8c810c0e5b0d60532640eb104aa7 /src
parent	09eb20c8a76c0c8e7c70d9e6415a5404589cba51 (diff)
download	nginx-c32d9d28fd94e295b08c289031b5c9640195f9c0.tar.gz nginx-c32d9d28fd94e295b08c289031b5c9640195f9c0.zip