SPDY: added protection from overrun of the receive buffer.

author Valentin Bartenev <vbart@nginx.com>

Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)

committer Valentin Bartenev <vbart@nginx.com>

Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)
author Valentin Bartenev <vbart@nginx.com>
Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)
committer Valentin Bartenev <vbart@nginx.com>
Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c

index e53e3aa9f2ab0040c007e6f9f24733d2939f8d35..810d8d8f4e244d8340ec50147a87e1ce486bb093 100644 (file)
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -1921,6 +1921,14 @@ ngx_http_spdy_state_complete(ngx_http_spdy_connection_t *sc, u_char *pos,
      ngx_log_debug2(NGX_LOG_DEBUG_HTTP, sc->connection->log, 0,
                     "spdy frame complete pos:%p end:%p", pos, end);
  
+    if (pos > end) {
+        ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
+                      "receive buffer overrun");
+
+        ngx_debug_point();
+        return ngx_http_spdy_state_internal_error(sc);
+    }
+
      sc->handler = ngx_http_spdy_state_head;
      sc->stream = NULL;
author	Valentin Bartenev <vbart@nginx.com>
	Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)
committer	Valentin Bartenev <vbart@nginx.com>
	Wed, 30 Apr 2014 16:34:20 +0000 (20:34 +0400)