SPDY: fixed the DATA frame length handling in case of some errors.

There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.

diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
index 9c80febaf10c1479edae80ffc47506b83dbefc36..bada9c8f645f984213ab528e6de81078ccc7ef11 100644 (file)
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c
@@ -1528,7 +1528,6 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
         complete = 1;
 
     } else {
-        sc->length -= size;
         complete = 0;
     }
 
@@ -1571,6 +1570,8 @@ ngx_http_spdy_state_read_data(ngx_http_spdy_connection_t *sc, u_char *pos,
             }
         }
 
+        sc->length -= size;
+
         if (tf) {
             buf->start = pos;
             buf->pos = pos;