SPDY: fixed the DATA frame length handling in case of some errors. There are a few cases in ngx_http_spdy_state_read_data() related to error handling when ngx_http_spdy_state_skip() might be called with an inconsistent state between *pos and sc->length, that leads to violation of frame layout parsing and resuted in corruption of spdy connection. Based on a patch by Xiaochen Wang.

commit: afb92a8127d30e7c4ff6387a9b9761924b134940 [log] [tgz]
author: Valentin Bartenev <vbart@nginx.com> Fri Mar 28 20:05:07 2014 +0400
committer: Valentin Bartenev <vbart@nginx.com> Fri Mar 28 20:05:07 2014 +0400
tree: 02d1feaaef48dda559580d08ab4ac6b5ff129b26
parent: de3c7a825ee446fe4e0dc84df3d57bfebdf8c6f6 [diff] [blame]
diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c
index 9c80feb..bada9c8 100644
--- a/src/http/ngx_http_spdy.c
+++ b/src/http/ngx_http_spdy.c

@@ -1528,7 +1528,6 @@
         complete = 1;
 
     } else {
-        sc->length -= size;
         complete = 0;
     }
 
@@ -1571,6 +1570,8 @@
             }
         }
 
+        sc->length -= size;
+
         if (tf) {
             buf->start = pos;
             buf->pos = pos;
commit	afb92a8127d30e7c4ff6387a9b9761924b134940	[log] [tgz]
author	Valentin Bartenev <vbart@nginx.com>	Fri Mar 28 20:05:07 2014 +0400
committer	Valentin Bartenev <vbart@nginx.com>	Fri Mar 28 20:05:07 2014 +0400
tree	02d1feaaef48dda559580d08ab4ac6b5ff129b26
parent	de3c7a825ee446fe4e0dc84df3d57bfebdf8c6f6 [diff] [blame]