romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-30 13:57:28 +03:00
Code Issues Projects Releases Packages Wiki Activity

http2: convert an assert to run-time check

Browse source 
Fuzzing has proven we can reach code in on_frame_recv with status_code
not having been set, so let's detect that in run-time (instead of with
assert) and error error accordingly.

(This should no longer happen with the latest nghttp2)

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
Closes #2514
This commit is contained in:
Daniel Stenberg 2018-04-21 12:33:52 +02:00
parent a39593d282
commit 0a3589ccd0
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/http2.c
View file

@ -624,8 +624,10 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
}
/* nghttp2 guarantees that :status is received, and we store it to
stream->status_code */
DEBUGASSERT(stream->status_code != -1);
stream->status_code. Fuzzing has proven this can still be reached
without status code having been set. */
if(stream->status_code == -1)
return NGHTTP2_ERR_CALLBACK_FAILURE;
/* Only final status code signals the end of header */
if(stream->status_code / 100 != 1) {