http2: convert an assert to run-time checkbagder/http2-assert-to-run-time

Fuzzing has proven we can reach code in on_frame_recv with status_code not having been set, so let's detect that in run-time (instead of with assert) and error error accordingly. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
author: Daniel Stenberg <daniel@haxx.se> 2018-04-21 12:33:52 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2018-04-21 12:33:52 +0200
commit: d834884e95189a99501dd01430ffe8140358461b (patch)
tree: dea9ec1f3db47be8ee86e633013118dc06e3daef
parent: d122df5972fc01e39ae28e6bca705237d7e3318a (diff)
download: curl-bagder/http2-assert-to-run-time.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c
index fe5fdb1b8..7dea16125 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -624,8 +624,10 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
     }
 
     /* nghttp2 guarantees that :status is received, and we store it to
-       stream->status_code */
-    DEBUGASSERT(stream->status_code != -1);
+       stream->status_code. Fuzzing has proven this can still be reached
+       without status code having been set. */
+    if(stream->status_code == -1)
+      return NGHTTP2_ERR_CALLBACK_FAILURE;
 
     /* Only final status code signals the end of header */
     if(stream->status_code / 100 != 1) {
author	Daniel Stenberg <daniel@haxx.se>	2018-04-21 12:33:52 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2018-04-21 12:33:52 +0200
commit	d834884e95189a99501dd01430ffe8140358461b (patch)
tree	dea9ec1f3db47be8ee86e633013118dc06e3daef
parent	d122df5972fc01e39ae28e6bca705237d7e3318a (diff)
download	curl-bagder/http2-assert-to-run-time.tar.gz