Skip to content

Sending a header with a newline causes a crash with HTTP/3 #16998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DemiMarie opened this issue Apr 9, 2025 · 3 comments
Closed

Sending a header with a newline causes a crash with HTTP/3 #16998

DemiMarie opened this issue Apr 9, 2025 · 3 comments
Assignees
@icing
Labels
crash HTTP/3 h3 or quic related

Comments

@DemiMarie
Copy link

I did this

I made an HTTP/3 request with `curl --http3-only -H $'a: a\x0ab' SOMEURL. Sending a newline in an HTTP header only makes sense if (as I was) one is trying to test a web server (in my case a custom patch for NGINX), but I was not expecting to get:

curl: nghttp3_conn.c:2463: nghttp3_conn_shutdown_stream_read: Assertion `stream_id >= 0' failed.

and a core dump.

I don’t consider this a security vulnerability because the documentation is very clear that it is the application’s job to sanitize headers passed to curl, and indeed if the request was made using HTTP/1.x then allowing newlines in headers leads to header value injection or even request smuggling. Other invalid header values (like a: \x01) don’t trigger this issue.

I expected the following

I’m not sure. Perhaps curl should give an error stating that newlines aren’t allowed in headers. In any case, curl shouldn’t crash.

curl/libcurl version

curl 8.13.0 (x86_64-pc-linux-gnu) libcurl/8.13.0 OpenSSL/3.4.1 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.65.0 nghttp3/1.8.0
Release-Date: 2025-04-02
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Linux nginx 6.12.21-1.qubes.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Mar 31 11:38:40 GMT 2025 x86_64 GNU/Linux
@bagder bagder added crash HTTP/3 h3 or quic related labels Apr 9, 2025
@icing icing self-assigned this Apr 9, 2025
icing added a commit to icing/curl that referenced this issue Apr 9, 2025
@icing
openssl-quic: fix shutdown when stream not open
3acf621 
Check that h3 stream had been opened before telling nghttp3 to
shut it down.

refs curl#16998
@icing icing mentioned this issue Apr 9, 2025
Closed
@icing
Copy link
Contributor

icing commented Apr 9, 2025

Thanks for the report @DemiMarie . This is indeed a bug in curl's experimental HTTP/3 support with OpenSSL's own QUIC stack.

A new test case and fix in #17003. Would appreciate if you could verify this works for you as well. Thanks!

@DemiMarie
Copy link
Author

@icing thanks for the fix! I’m not sure when I’ll get around to testing this, but if the fix passes tests with sanitizers enabled it should be okay. I’ll also report a bug to Arch for building their libcurl with OpenSSL QUIC instead of ngtcp2.

@bagder bagder closed this as completed in 219302b Apr 10, 2025
@bagder
Copy link
Member

bagder commented Apr 10, 2025

As we believe the PR fixes this issue, we moved ahead and closed this when it merged. If you have any issues later when you get a chance to try this out, let us know!

nbaws pushed a commit to nbaws/curl that referenced this issue Apr 26, 2025
@icing @nbaws
openssl-quic: fix shutdown when stream not open
3eb7787 
Check that h3 stream had been opened before telling nghttp3 to
shut it down.

Fixes curl#16998
Reported-by: Demi Marie Obenour
Closes curl#17003
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icing icing

Labels
crash HTTP/3 h3 or quic related
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @DemiMarie