35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
|
|
From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
|
|
Date: Wed, 10 Jan 2018 10:12:18 -0800
|
|
Subject: [PATCH] http2: fix incorrect trailer buffer size
|
|
|
|
Prior to this change the stored byte count of each trailer was
|
|
miscalculated and 1 less than required. It appears any trailer
|
|
after the first that was passed to Curl_client_write would be truncated
|
|
or corrupted as well as the size. Potentially the size of some
|
|
subsequent trailer could be erroneously extracted from the contents of
|
|
that trailer, and since that size is used by client write an
|
|
out-of-bounds read could occur and cause a crash or be otherwise
|
|
processed by client write.
|
|
|
|
The bug appears to have been born in 0761a51 (precedes 7.49.0).
|
|
|
|
Closes https://github.com/curl/curl/pull/2231
|
|
---
|
|
lib/http2.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
--- a/lib/http2.c
|
|
+++ b/lib/http2.c
|
|
@@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se
|
|
|
|
if(stream->bodystarted) {
|
|
/* This is trailer fields. */
|
|
- /* 3 is for ":" and "\r\n". */
|
|
- uint32_t n = (uint32_t)(namelen + valuelen + 3);
|
|
+ /* 4 is for ": " and "\r\n". */
|
|
+ uint32_t n = (uint32_t)(namelen + valuelen + 4);
|
|
|
|
DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
|
|
value));
|