1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-12 06:28:04 -05:00

http2: handle on_begin_headers() called more than once

This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
This commit is contained in:
Daniel Stenberg 2018-04-18 23:51:01 +02:00
parent 8996300211
commit 6d3c9c8ab4
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -870,16 +870,12 @@ static int on_begin_headers(nghttp2_session *session,
return 0; return 0;
} }
/* This is trailer HEADERS started. Allocate buffer for them. */ if(!stream->trailer_recvbuf) {
H2BUGF(infof(data_s, "trailer field started\n"));
DEBUGASSERT(stream->trailer_recvbuf == NULL);
stream->trailer_recvbuf = Curl_add_buffer_init(); stream->trailer_recvbuf = Curl_add_buffer_init();
if(!stream->trailer_recvbuf) { if(!stream->trailer_recvbuf) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
} }
}
return 0; return 0;
} }