/node

Permalink
Browse files

test: add regression test for nghttp2 CVE-2018-1000168 

PR-URL: nodejs-private/node-private#117
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
  • Loading branch information...
@jasnell @MylesBorins
jasnell authored and MylesBorins committed Apr 13, 2018
Verified
This commit was signed with a verified signature.
@MylesBorins MylesBorins Myles Borins
GPG key ID: 933B01F40B5CA946 Learn about signing commits
1 parent 01bc571 commit 0d79c84a839fb52ccb9e3f0c46541613a1d3db3a
Unified Split
Showing with 49 additions and 0 deletions.
  1. +10 −0 test/common/http2.js
  2. +39 −0 test/parallel/test-http2-malformed-altsvc.js
10 test/common/http2.js
@@ -127,8 +127,18 @@ class PingFrame extends Frame {
}
}
class AltSvcFrame extends Frame {
constructor(size) {
const buffers = [Buffer.alloc(size)];
super(size, 10, 0, 0);
buffers.unshift(this[kFrameData]);
this[kFrameData] = Buffer.concat(buffers);
}
}
module.exports = {
Frame,
AltSvcFrame,
DataFrame,
HeadersFrame,
SettingsFrame,
39 test/parallel/test-http2-malformed-altsvc.js
@@ -0,0 +1,39 @@
'use strict';
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
const http2 = require('http2');
const net = require('net');
const h2test = require('../common/http2');
const server = http2.createServer();
server.on('stream', common.mustNotCall());
const settings = new h2test.SettingsFrame();
const settingsAck = new h2test.SettingsFrame(true);
const altsvc = new h2test.AltSvcFrame((1 << 14) + 1);
server.listen(0, () => {
const client = net.connect(server.address().port, () => {
client.write(h2test.kClientMagic, () => {
client.write(settings.data, () => {
client.write(settingsAck.data);
// Prior to nghttp2 1.31.1, sending this malformed altsvc frame
// would cause a segfault. This test is successful if a segfault
// does not occur.
client.write(altsvc.data, common.mustCall(() => {
client.destroy();
}));
});
});
});
// An error may or may not be emitted on the client side, we don't care
// either way if it is, but we don't want to die if it is.
client.on('error', () => {});
client.on('close', common.mustCall(() => server.close()));
client.resume();
});

0 comments on commit 0d79c84

Please sign in to comment.