bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.

2024-10-13 00:29:41 +00:00 · 2024-03-26 09:09:28 +08:00
parent 7b7fcbe078
commit ef54f920b0
3 changed files with 75 additions and 0 deletions
--- a/patches/nginx-CVE-2024-24990.patch
+++ b/patches/nginx-CVE-2024-24990.patch
@ -0,0 +1,27 @@
+commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
+Author: Roman Arutyunyan <arut@nginx.com>
+Date:   Wed Feb 14 15:55:37 2024 +0400
+
+    QUIC: fixed stream cleanup (ticket #2586).
+    
+    Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
+    ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
+    to the connection (sc->connection = NULL).  Previously if this call failed,
+    sc->connection retained the old value, while the connection was freed by the
+    application code.  This resulted later in a second attempt to close the freed
+    connection, which lead to allocator double free error.
+    
+    The fix is to reset the sc->connection pointer in case of error.
+
+diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
+index df04d0f07..178b805e4 100644
+--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
+@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
+                    "quic stream id:0x%xL cleanup", qs->id);
+ 
+     if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
+        qs->connection = NULL;
+         goto failed;
+     }
+