diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-04-18 23:51:01 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-19 08:06:40 +0200 |
commit | 6d3c9c8ab4754ea21622d65f11df403bbaf46e2d (patch) | |
tree | a829581bb51c47779183e565a6dc03295114c718 | |
parent | 899630021153b2a26a43008cccc6620b6c3f9bbf (diff) | |
download | curl-6d3c9c8ab4754ea21622d65f11df403bbaf46e2d.tar.gz |
http2: handle on_begin_headers() called more than once
This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.
Detected by OSS-Fuzz
Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
-rw-r--r-- | lib/http2.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/lib/http2.c b/lib/http2.c index 6758f9554..e60ae247b 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -870,16 +870,12 @@ static int on_begin_headers(nghttp2_session *session, return 0; } - /* This is trailer HEADERS started. Allocate buffer for them. */ - H2BUGF(infof(data_s, "trailer field started\n")); - - DEBUGASSERT(stream->trailer_recvbuf == NULL); - - stream->trailer_recvbuf = Curl_add_buffer_init(); if(!stream->trailer_recvbuf) { - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + stream->trailer_recvbuf = Curl_add_buffer_init(); + if(!stream->trailer_recvbuf) { + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } } - return 0; } |