Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2.c: fix incorrect trailer buffer size #2231

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
2 participants
@ZhouyihaiDing
Copy link

commented Jan 10, 2018

When read trailer, pointer will read wrong address (which trailer_pos[0] = '\0') at the second loop, which will mess up all the trailers after.

PR http2: Add space between colon and header adds this space.

@ZhouyihaiDing ZhouyihaiDing changed the title Fix incorrect trailer buffer size http2.c: fix incorrect trailer buffer size Jan 10, 2018

@ZhouyihaiDing ZhouyihaiDing force-pushed the ZhouyihaiDing:trailer_buffer_size branch from 3f3e39b to e4e1687 Jan 10, 2018

@jay jay closed this in fa3dbb9 Jan 11, 2018

@jay

This comment has been minimized.

Copy link
Member

commented Jan 11, 2018

Thanks

@jay jay added the HTTP/2 label Jan 11, 2018

weltling added a commit to winlibs/cURL that referenced this pull request Jan 25, 2018

http2: fix incorrect trailer buffer size
Prior to this change the stored byte count of each trailer was
miscalculated and 1 less than required. It appears any trailer
after the first that was passed to Curl_client_write would be truncated
or corrupted as well as the size. Potentially the size of some
subsequent trailer could be erroneously extracted from the contents of
that trailer, and since that size is used by client write an
out-of-bounds read could occur and cause a crash or be otherwise
processed by client write.

The bug appears to have been born in 0761a51 (precedes 7.49.0).

Closes curl/curl#2231

@lock lock bot locked as resolved and limited conversation to collaborators May 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.