From dd038bf7532307a85426664aace03528da7161c3 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Mon, 25 Aug 2014 23:05:39 +0900 Subject: [PATCH] Fix crash when buffer was reallocated after read_length_callback Added test for this crash. --- lib/nghttp2_session.c | 4 ++++ tests/nghttp2_session_test.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index 3d9764da..926a4002 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -5681,6 +5681,10 @@ int nghttp2_session_pack_data(nghttp2_session *session, DEBUGF(fprintf(stderr, "send: use safe limit payloadlen=%zu", payloadlen)); + } else { + assert(&session->aob.framebufs == bufs); + + buf = &bufs->cur->buf; } } datamax = (size_t) payloadlen; diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c index db5ccb55..375be8f0 100644 --- a/tests/nghttp2_session_test.c +++ b/tests/nghttp2_session_test.c @@ -3124,6 +3124,39 @@ void test_nghttp2_submit_data_read_length_too_large(void) CU_ASSERT(NGHTTP2_FLAG_END_STREAM == data_frame->hd.flags); nghttp2_session_del(session); + + /* Check that buffers are expanded */ + CU_ASSERT(0 == nghttp2_session_client_new(&session, &callbacks, &ud)); + + ud.data_source_length = NGHTTP2_MAX_FRAME_SIZE_MAX; + + session->remote_settings.max_frame_size = NGHTTP2_MAX_FRAME_SIZE_MAX; + + nghttp2_session_open_stream(session, 1, NGHTTP2_STREAM_FLAG_NONE, + &pri_spec_default, NGHTTP2_STREAM_OPENING, + NULL); + CU_ASSERT(0 == nghttp2_submit_data(session, + NGHTTP2_FLAG_END_STREAM, 1, &data_prd)); + + ud.block_count = 0; + CU_ASSERT(0 == nghttp2_session_send(session)); + + aob = &session->aob; + + data_frame = nghttp2_outbound_item_get_data_frame(aob->item); + + framebufs = &aob->framebufs; + + buf = &framebufs->head->buf; + nghttp2_frame_unpack_frame_hd(&hd, buf->pos); + + CU_ASSERT(NGHTTP2_FLAG_NONE == hd.flags); + CU_ASSERT(nghttp2_min(NGHTTP2_INITIAL_CONNECTION_WINDOW_SIZE, + NGHTTP2_INITIAL_WINDOW_SIZE) == hd.length); + /* frame->hd.flags has these flags */ + CU_ASSERT(NGHTTP2_FLAG_END_STREAM == data_frame->hd.flags); + + nghttp2_session_del(session); } void test_nghttp2_submit_data_read_length_smallest(void)