http2: fix incorrect trailer buffer size

Prior to this change the stored byte count of each trailer was miscalculated and 1 less than required. It appears any trailer after the first that was passed to Curl_client_write would be truncated or corrupted as well as the size. Potentially the size of some subsequent trailer could be erroneously extracted from the contents of that trailer, and since that size is used by client write an out-of-bounds read could occur and cause a crash or be otherwise processed by client write. The bug appears to have been born in 0761a51 (precedes 7.49.0). Closes https://github.com/curl/curl/pull/2231
author: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> 2018-01-10 10:12:18 -0800
committer: Jay Satiro <raysatiro@yahoo.com> 2018-01-11 02:33:24 -0500
commit: fa3dbb9a147488a2943bda809c66fc497efe06cb (patch)
tree: 8acbeb67864fc78059f71e1711ba491d3238d2f8
parent: 2a6dbb8155d3e96640d74f56a3be5cd557c33769 (diff)
download: curl-fa3dbb9a147488a2943bda809c66fc497efe06cb.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c
index 8e2fc7199..699287940 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -925,8 +925,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
 
   if(stream->bodystarted) {
     /* This is trailer fields. */
-    /* 3 is for ":" and "\r\n". */
-    uint32_t n = (uint32_t)(namelen + valuelen + 3);
+    /* 4 is for ": " and "\r\n". */
+    uint32_t n = (uint32_t)(namelen + valuelen + 4);
 
     DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
                  value));
author	Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>	2018-01-10 10:12:18 -0800
committer	Jay Satiro <raysatiro@yahoo.com>	2018-01-11 02:33:24 -0500
commit	fa3dbb9a147488a2943bda809c66fc497efe06cb (patch)
tree	8acbeb67864fc78059f71e1711ba491d3238d2f8
parent	2a6dbb8155d3e96640d74f56a3be5cd557c33769 (diff)
download	curl-fa3dbb9a147488a2943bda809c66fc497efe06cb.tar.gz