http2: convert an assert to run-time check

Fuzzing has proven we can reach code in on_frame_recv with status_code not having been set, so let's detect that in run-time (instead of with assert) and error error accordingly. (This should no longer happen with the latest nghttp2) Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 Closes #2514
author: Daniel Stenberg <daniel@haxx.se> 2018-04-21 12:33:52 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2018-04-23 13:51:32 +0200
commit: 0a3589ccd0dbf5f3a826b669517ccc12893fa153 (patch)
tree: 8db1f2732758e7bec9842316f9a69fab2a7f4dc6
parent: a39593d2823fd05be609bdd3eac6f1dd005c747f (diff)
download: curl-0a3589ccd0dbf5f3a826b669517ccc12893fa153.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http2.c b/lib/http2.c
index fe5fdb1b8..7dea16125 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -624,8 +624,10 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
     }
 
     /* nghttp2 guarantees that :status is received, and we store it to
-       stream->status_code */
-    DEBUGASSERT(stream->status_code != -1);
+       stream->status_code. Fuzzing has proven this can still be reached
+       without status code having been set. */
+    if(stream->status_code == -1)
+      return NGHTTP2_ERR_CALLBACK_FAILURE;
 
     /* Only final status code signals the end of header */
     if(stream->status_code / 100 != 1) {
author	Daniel Stenberg <daniel@haxx.se>	2018-04-21 12:33:52 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2018-04-23 13:51:32 +0200
commit	0a3589ccd0dbf5f3a826b669517ccc12893fa153 (patch)
tree	8db1f2732758e7bec9842316f9a69fab2a7f4dc6
parent	a39593d2823fd05be609bdd3eac6f1dd005c747f (diff)
download	curl-0a3589ccd0dbf5f3a826b669517ccc12893fa153.tar.gz