| 12345678910111213141516171819202122232425262728293031323334 |
- From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
- From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
- Date: Wed, 10 Jan 2018 10:12:18 -0800
- Subject: [PATCH] http2: fix incorrect trailer buffer size
- Prior to this change the stored byte count of each trailer was
- miscalculated and 1 less than required. It appears any trailer
- after the first that was passed to Curl_client_write would be truncated
- or corrupted as well as the size. Potentially the size of some
- subsequent trailer could be erroneously extracted from the contents of
- that trailer, and since that size is used by client write an
- out-of-bounds read could occur and cause a crash or be otherwise
- processed by client write.
- The bug appears to have been born in 0761a51 (precedes 7.49.0).
- Closes https://github.com/curl/curl/pull/2231
- ---
- lib/http2.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
- --- a/lib/http2.c
- +++ b/lib/http2.c
- @@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se
-
- if(stream->bodystarted) {
- /* This is trailer fields. */
- - /* 3 is for ":" and "\r\n". */
- - uint32_t n = (uint32_t)(namelen + valuelen + 3);
- + /* 4 is for ": " and "\r\n". */
- + uint32_t n = (uint32_t)(namelen + valuelen + 4);
-
- DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
- value));
|
