From 09f4db1fc0ae5c1ad649316c1b97934af628736b Mon Sep 17 00:00:00 2001
From: Igor Sysoev <igor@sysoev.ru>
Date: Fri, 18 Sep 2020 13:20:02 +0300
Subject: Fixed use-after-free error during reconfiguration.

An idle connection was not removed from idle connection list
if the connections detected that listening socket had been closed.
---
 src/nxt_h1proto.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/nxt_h1proto.c')

diff --git a/src/nxt_h1proto.c b/src/nxt_h1proto.c
index b34be019..f340ea1e 100644
--- a/src/nxt_h1proto.c
+++ b/src/nxt_h1proto.c
@@ -1829,6 +1829,8 @@ nxt_h1p_idle_close(nxt_task_t *task, void *obj, void *data)
 
     nxt_debug(task, "h1p idle close");
 
+    nxt_queue_remove(&c->link);
+
     nxt_h1p_idle_response(task, c);
 }
 
-- 
cgit 


From 6cfbf4ba791000705efeed4d29a212f6bd86821c Mon Sep 17 00:00:00 2001
From: Igor Sysoev <igor@sysoev.ru>
Date: Fri, 18 Sep 2020 13:20:05 +0300
Subject: Fixed segmentation fault during reconfiguration.

---
 src/nxt_h1proto.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/nxt_h1proto.c')

diff --git a/src/nxt_h1proto.c b/src/nxt_h1proto.c
index f340ea1e..94b74929 100644
--- a/src/nxt_h1proto.c
+++ b/src/nxt_h1proto.c
@@ -1749,7 +1749,15 @@ nxt_h1p_conn_timer_value(nxt_conn_t *c, uintptr_t data)
 
     joint = c->listen->socket.data;
 
-    return nxt_value_at(nxt_msec_t, joint->socket_conf, data);
+    if (nxt_fast_path(joint != NULL)) {
+        return nxt_value_at(nxt_msec_t, joint->socket_conf, data);
+    }
+
+    /*
+     * Listening socket had been closed while
+     * connection was in keep-alive state.
+     */
+    return 1;
 }
 
 
-- 
cgit 


From 6b9882fc142cab4a15a272991096ef4db260bf0f Mon Sep 17 00:00:00 2001
From: Igor Sysoev <igor@sysoev.ru>
Date: Fri, 18 Sep 2020 13:20:06 +0300
Subject: Fixed segmentation fault during reconfiguration.

If idle connection was closed before h1proto had been allocated
then c->socket.data is NULL.  This happens if nxt_h1p_idle_response()
is called by nxt_h1p_idle_close().  However, h1p->conn_write_tail
is used only in nxt_h1p_request_send() that would not be called
after nxt_h1p_idle_response().

The bug was introduced in f237e8c553fd.
---
 src/nxt_h1proto.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

(limited to 'src/nxt_h1proto.c')

diff --git a/src/nxt_h1proto.c b/src/nxt_h1proto.c
index 94b74929..17046187 100644
--- a/src/nxt_h1proto.c
+++ b/src/nxt_h1proto.c
@@ -1873,10 +1873,9 @@ nxt_h1p_idle_timeout(nxt_task_t *task, void *obj, void *data)
 static void
 nxt_h1p_idle_response(nxt_task_t *task, nxt_conn_t *c)
 {
-    u_char         *p;
-    size_t         size;
-    nxt_buf_t      *out, *last;
-    nxt_h1proto_t  *h1p;
+    u_char     *p;
+    size_t     size;
+    nxt_buf_t  *out, *last;
 
     size = nxt_length(NXT_H1P_IDLE_TIMEOUT)
            + nxt_http_date_cache.size
@@ -1906,9 +1905,6 @@ nxt_h1p_idle_response(nxt_task_t *task, nxt_conn_t *c)
     last->completion_handler = nxt_h1p_idle_response_sent;
     last->parent = c;
 
-    h1p = c->socket.data;
-    h1p->conn_write_tail = &last->next;
-
     c->write = out;
     c->write_state = &nxt_h1p_timeout_response_state;
 
-- 
cgit 


From c4b000f9cc377b6a13777eb10e858c90de6264fe Mon Sep 17 00:00:00 2001
From: Max Romanov <max.romanov@nginx.com>
Date: Tue, 29 Sep 2020 22:57:46 +0300
Subject: Supporting HTTP/1.0 keep-alive.

The Apache HTTP server benchmarking tool, ab, issues HTTP/1.0 requests with
the 'Connection: Keep-Alive' header and expects a 'Connection: Keep-Alive'
header in the response.
---
 src/nxt_h1proto.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src/nxt_h1proto.c')

diff --git a/src/nxt_h1proto.c b/src/nxt_h1proto.c
index 17046187..7c695549 100644
--- a/src/nxt_h1proto.c
+++ b/src/nxt_h1proto.c
@@ -734,9 +734,16 @@ nxt_h1p_connection(void *ctx, nxt_http_field_t *field, uintptr_t data)
     r = ctx;
     field->hopbyhop = 1;
 
-    if (field->value_length == 5 && nxt_memcmp(field->value, "close", 5) == 0) {
+    if (field->value_length == 5
+        && nxt_memcasecmp(field->value, "close", 5) == 0)
+    {
         r->proto.h1->keepalive = 0;
 
+    } else if (field->value_length == 10
+               && nxt_memcasecmp(field->value, "keep-alive", 10) == 0)
+    {
+        r->proto.h1->keepalive = 1;
+
     } else if (field->value_length == 7
                && nxt_memcasecmp(field->value, "upgrade", 7) == 0)
     {
-- 
cgit 


From c5cb2432c473a00a8af69b8930b268552afce85b Mon Sep 17 00:00:00 2001
From: Max Romanov <max.romanov@nginx.com>
Date: Wed, 30 Sep 2020 16:36:57 +0300
Subject: Fixing router connection pool leakage.

The connection's local socket address is allocated from the connection
pool before the request is passed to the application; however, with keep-alive
connections, this field was unconditionally reset by a socket configuration
value that could be NULL.  For the next request, the address was allocated
again from the same connection pool.  Nonetheless, all leaked addresses
were released when the connection was closed.

The issue introduced in changeset 5c7dd85fabd5.
---
 src/nxt_h1proto.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/nxt_h1proto.c')

diff --git a/src/nxt_h1proto.c b/src/nxt_h1proto.c
index 7c695549..dc23d7c4 100644
--- a/src/nxt_h1proto.c
+++ b/src/nxt_h1proto.c
@@ -503,7 +503,10 @@ nxt_h1p_conn_request_init(nxt_task_t *task, void *obj, void *data)
             joint->count++;
 
             r->conf = joint;
-            c->local = joint->socket_conf->sockaddr;
+
+            if (c->local == NULL) {
+                c->local = joint->socket_conf->sockaddr;
+            }
 
             nxt_h1p_conn_request_header_parse(task, c, h1p);
             return;
-- 
cgit