diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-04-21 12:33:52 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-21 12:33:52 +0200 |
commit | d834884e95189a99501dd01430ffe8140358461b (patch) | |
tree | dea9ec1f3db47be8ee86e633013118dc06e3daef | |
parent | d122df5972fc01e39ae28e6bca705237d7e3318a (diff) | |
download | curl-bagder/http2-assert-to-run-time.tar.gz |
http2: convert an assert to run-time checkbagder/http2-assert-to-run-time
Fuzzing has proven we can reach code in on_frame_recv with status_code
not having been set, so let's detect that in run-time (instead of with
assert) and error error accordingly.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
-rw-r--r-- | lib/http2.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c index fe5fdb1b8..7dea16125 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -624,8 +624,10 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, } /* nghttp2 guarantees that :status is received, and we store it to - stream->status_code */ - DEBUGASSERT(stream->status_code != -1); + stream->status_code. Fuzzing has proven this can still be reached + without status code having been set. */ + if(stream->status_code == -1) + return NGHTTP2_ERR_CALLBACK_FAILURE; /* Only final status code signals the end of header */ if(stream->status_code / 100 != 1) { |