Previously, when connecting to a backend, if the read event handler was
called before the write event handler, and the received response triggered
a next upstream condition, then ngx_http_upstream_reinit() was not called
to clean up the old upstream context. This had multiple implications.
For all proxy modules, since the last upstream response was not cleaned up,
it was mixed with the next upstream response. This could result in ignoring
the second response status code, duplicate response headers or reporting
old upstream header errors.
With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection
was left dangling since the object it referenced was allocated from the
last upstream connection pool, which was deleted when freeing last upstream.
This lead to use-after-free when trying to reuse this object for the next
upstream.
u->writer.connection = c;
u->writer.limit = clcf->sendfile_max_chunk;
- if (u->request_sent) {
+ if (u->request_sent || u->response_received) {
if (ngx_http_upstream_reinit(r, u) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
NGX_HTTP_INTERNAL_SERVER_ERROR);
u->request_sent = 0;
u->request_body_sent = 0;
u->request_body_blocked = 0;
+ u->response_received = 0;
if (rc == NGX_AGAIN) {
ngx_add_timer(c->write, u->conf->connect_timeout);
u->peer.cached = 0;
#endif
+ u->response_received = 1;
+
rc = u->process_header(r);
if (rc == NGX_AGAIN) {
unsigned request_body_sent:1;
unsigned request_body_blocked:1;
unsigned header_sent:1;
+ unsigned response_received:1;
};
projects / nginx.git / commitdiff