From: Ruslan Ermilov <ru@nginx.com>
Date: Fri, 9 Feb 2018 20:20:08 +0000 (+0300)
Subject: HTTP/2: fixed null pointer dereference with server push.
X-Git-Tag: release-1.13.9~7
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=c32d9d28fd94e295b08c289031b5c9640195f9c0;p=nginx.git

HTTP/2: fixed null pointer dereference with server push.

r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).
---

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index 980ea9271..55e3ca94a 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -946,7 +946,11 @@ ngx_http_v2_push_resource(ngx_http_request_t *r, ngx_str_t *path,
 
     host = r->headers_in.host;
 
-    if (authority->len == 0 && host) {
+    if (host == NULL) {
+        return NGX_ABORT;
+    }
+
+    if (authority->len == 0) {
 
         len = 1 + NGX_HTTP_V2_INT_OCTETS + host->value.len;