HTTP/3: skip empty request body buffers (ticket #2374).

When client DATA frame header and its content come in different QUIC packets, it may happen that only the header is processed by the first ngx_http_v3_request_body_filter() call. In this case an empty request body buffer is added to r->request_body->bufs, which is later reused in a subsequent ngx_http_v3_request_body_filter() call without being removed from the body chain. As a result, rb->request_body->bufs ends up with two copies of the same buffer. The fix is to avoid adding empty request body buffers to r->request_body->bufs.
2022-08-03 16:59:51 +04:00 · 2022-08-03 16:59:51 +04:00 · 2d72193dc0
parent d3d5a9b8a4
commit 2d72193dc0
1 changed files with 9 additions and 7 deletions
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@ -1552,15 +1552,17 @@ ngx_http_v3_request_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
                }

                /* rc == NGX_OK */
-            }

-            if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
-                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
-                              "client intended to send too large "
-                              "body: %O+%ui bytes",
-                              rb->received, st->length);
+                if (max != -1 && (uint64_t) (max - rb->received) < st->length) {
+                    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                                  "client intended to send too large "
+                                  "body: %O+%ui bytes",
+                                  rb->received, st->length);

-                return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE;
+                    return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE;
+                }
+
+                continue;
            }

            if (b