Skip to content

QUIC: fixed accessing a released stream. #413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 27, 2024
Merged

QUIC: fixed accessing a released stream. #413

merged 1 commit into from
Dec 27, 2024
+13 −5

Conversation

arut
Copy link
Contributor

@arut arut commented Dec 26, 2024
edited
Loading

While trying to close a stream in ngx_quic_close_streams() by calling its read event handler, the next stream saved prior to that could be destroyed recursively. This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following. A request stream read event handler ngx_http_request_handler() could end up calling ngx_http_v3_send_cancel_stream() to report a cancelled request stream in the decoder stream. If sending stream cancellation decoder instruction fails for any reason, and the decoder stream is the next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being closed to avoid recursive closures.

Fixes #369.

@arut arut mentioned this pull request Dec 26, 2024
Closed
@pluknet
Copy link
Contributor

pluknet commented Dec 27, 2024
edited
Loading

to avoid recursive closures.

It doesn't seem to prevent recursive closure as in "request stream close -> decoder stream close".
I'd rather say "to avoid closing a released stream" or something like that, YMMV.

@arut
QUIC: fixed accessing a released stream.
0e205f8 
While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively.  This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream.  If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.
@arut arut force-pushed the quic-close-streams branch from 30ca5bf to 0e205f8 Compare December 27, 2024 12:13
@arut arut merged commit e3a9b6a into nginx:master Dec 27, 2024
1 check passed
@arut arut deleted the quic-close-streams branch December 27, 2024 12:14
@Maryna-f5 Maryna-f5 added this to the nginx-1.27.4 milestone Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pluknet pluknet pluknet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
nginx-1.27.4
Development

Successfully merging this pull request may close these issues.

Segmentation fault in ngx_quic_close_streams()
3 participants
@arut @pluknet @Maryna-f5