HTTP/2: fixed null pointer dereference with server push.

r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index 980ea927127a8bcbf32844d64ec8cfd6126d8eb3..55e3ca94a80208d11edb7b4a07bb412339bd8632 100644 (file)
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_request_t *r, ngx_str_t *path,
 
     host = r->headers_in.host;
 
-    if (authority->len == 0 && host) {
+    if (host == NULL) {
+        return NGX_ABORT;
+    }
+
+    if (authority->len == 0) {
 
         len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;