Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http2.c: fix incorrect trailer buffer size #2231

Closed
wants to merge 1 commit into from
Closed

http2.c: fix incorrect trailer buffer size #2231

wants to merge 1 commit into from

Conversation

ZhouyihaiDing
Copy link

@ZhouyihaiDing ZhouyihaiDing commented Jan 10, 2018
edited

When read trailer, pointer will read wrong address (which trailer_pos[0] = '\0') at the second loop, which will mess up all the trailers after.

PR http2: Add space between colon and header adds this space.

@ZhouyihaiDing ZhouyihaiDing changed the title Fix incorrect trailer buffer size http2.c: fix incorrect trailer buffer size Jan 10, 2018
@jay jay closed this in fa3dbb9 Jan 11, 2018
@jay
Copy link
Member

jay commented Jan 11, 2018

Thanks

@jay jay added the HTTP/2 label Jan 11, 2018
@stefano-m stefano-m mentioned this pull request Jan 24, 2018
Closed
weltling pushed a commit to winlibs/cURL that referenced this pull request Jan 25, 2018
@weltling
http2: fix incorrect trailer buffer size
f1e5a4f 
Prior to this change the stored byte count of each trailer was
miscalculated and 1 less than required. It appears any trailer
after the first that was passed to Curl_client_write would be truncated
or corrupted as well as the size. Potentially the size of some
subsequent trailer could be erroneously extracted from the contents of
that trailer, and since that size is used by client write an
out-of-bounds read could occur and cause a crash or be otherwise
processed by client write.

The bug appears to have been born in 0761a51 (precedes 7.49.0).

Closes curl/curl#2231
@lock lock bot locked as resolved and limited conversation to collaborators May 9, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
HTTP/2
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ZhouyihaiDing @jay @2021-CONFDATA