http2: handle on_begin_headers() called more than oncebagder/http2-trailer-init

This triggered an assert if called more than once in debug mode (and a memory leak if not debug build). With the right sequence of HTTP/2 headers incoming it can happen. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
author: Daniel Stenberg <daniel@haxx.se> 2018-04-18 23:51:01 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2018-04-18 23:51:01 +0200
commit: 2a68e0e482fbce0e7a83e6ed3cd204a969e3e8f3 (patch)
tree: a829581bb51c47779183e565a6dc03295114c718
parent: 899630021153b2a26a43008cccc6620b6c3f9bbf (diff)
download: curl-bagder/http2-trailer-init.tar.gz
1 files changed, 4 insertions, 8 deletions
diff --git a/lib/http2.c b/lib/http2.c
index 6758f9554..e60ae247b 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -870,16 +870,12 @@ static int on_begin_headers(nghttp2_session *session,
     return 0;
   }
 
-  /* This is trailer HEADERS started.  Allocate buffer for them. */
-  H2BUGF(infof(data_s, "trailer field started\n"));
-
-  DEBUGASSERT(stream->trailer_recvbuf == NULL);
-
-  stream->trailer_recvbuf = Curl_add_buffer_init();
   if(!stream->trailer_recvbuf) {
-    return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+    stream->trailer_recvbuf = Curl_add_buffer_init();
+    if(!stream->trailer_recvbuf) {
+      return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+    }
   }
-
   return 0;
 }
author	Daniel Stenberg <daniel@haxx.se>	2018-04-18 23:51:01 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2018-04-18 23:51:01 +0200
commit	2a68e0e482fbce0e7a83e6ed3cd204a969e3e8f3 (patch)
tree	a829581bb51c47779183e565a6dc03295114c718
parent	899630021153b2a26a43008cccc6620b6c3f9bbf (diff)
download	curl-bagder/http2-trailer-init.tar.gz