[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 98/125: http2: fix incorrect trailer buffer size
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 98/125: http2: fix incorrect trailer buffer size |
Date: |
Sun, 21 Jan 2018 23:42:33 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit fa3dbb9a147488a2943bda809c66fc497efe06cb
Author: Zhouyihai Ding <address@hidden>
AuthorDate: Wed Jan 10 10:12:18 2018 -0800
http2: fix incorrect trailer buffer size
Prior to this change the stored byte count of each trailer was
miscalculated and 1 less than required. It appears any trailer
after the first that was passed to Curl_client_write would be truncated
or corrupted as well as the size. Potentially the size of some
subsequent trailer could be erroneously extracted from the contents of
that trailer, and since that size is used by client write an
out-of-bounds read could occur and cause a crash or be otherwise
processed by client write.
The bug appears to have been born in 0761a51 (precedes 7.49.0).
Closes https://github.com/curl/curl/pull/2231
---
lib/http2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/http2.c b/lib/http2.c
index 8e2fc7199..699287940 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const
nghttp2_frame *frame,
if(stream->bodystarted) {
/* This is trailer fields. */
- /* 3 is for ":" and "\r\n". */
- uint32_t n = (uint32_t)(namelen + valuelen + 3);
+ /* 4 is for ": " and "\r\n". */
+ uint32_t n = (uint32_t)(namelen + valuelen + 4);
DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
value));
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 122/125: TODO: two possible name resolver improvements, (continued)
- [GNUnet-SVN] [gnurl] 122/125: TODO: two possible name resolver improvements, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 118/125: SSH: Fix state machine for ssh-agent authentication, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 07/125: Added support for libssh SSH SCP back-end, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 42/125: curl.h: remove incorrect comment about ERRORBUFFER, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 46/125: CURLOPT_PRIVATE.3: fix grammar, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 39/125: BINDINGS: another PostgreSQL client, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 47/125: sftp: allow quoted commands to use relative paths, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 38/125: CONNECT: keep close connection flag in http_connect_state struct, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 78/125: build-wolfssl.bat: Added support for VC15, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 90/125: openssl: fix memory leak of SSLKEYLOGFILE filename, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 98/125: http2: fix incorrect trailer buffer size,
gnunet <=
- [GNUnet-SVN] [gnurl] 70/125: rand: add a clang-analyzer work-around, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 66/125: libssh: fix a syntax error in configure.ac, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 72/125: brotli: allow compiling with version 0.6.0., gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 111/125: CURLOPT_TCP_NODELAY.3: fix typo, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 104/125: test393: verify --max-filesize with excessive Content-Length, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 109/125: openssl: enable SSLKEYLOGFILE support by default, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 88/125: test1554: improve the error handling, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 87/125: test1554: add global initialization and cleanup, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 97/125: easy: fix connection ownership in curl_easy_pause, gnunet, 2018/01/21
- [GNUnet-SVN] [gnurl] 89/125: Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX", gnunet, 2018/01/21