http2: push headers better cleanup (CVE-2024-2398)
Resolves: RHEL-30462
This commit is contained in:
parent
6e4c862df9
commit
816b245734
89
0004-curl-8.6.0-CVE-2024-2398.patch
Normal file
89
0004-curl-8.6.0-CVE-2024-2398.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Eissing <stefan@eissing.org>
|
||||||
|
Date: Wed, 6 Mar 2024 09:36:08 +0100
|
||||||
|
Subject: [PATCH] http2: push headers better cleanup
|
||||||
|
|
||||||
|
- provide common cleanup method for push headers
|
||||||
|
|
||||||
|
Closes #13054
|
||||||
|
---
|
||||||
|
lib/http2.c | 34 +++++++++++++++-------------------
|
||||||
|
1 file changed, 15 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index c63ecd38371ab4..96868728a53a1f 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void free_push_headers(struct stream_ctx *stream)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+ for(i = 0; i<stream->push_headers_used; i++)
|
||||||
|
+ free(stream->push_headers[i]);
|
||||||
|
+ Curl_safefree(stream->push_headers);
|
||||||
|
+ stream->push_headers_used = 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void http2_data_done(struct Curl_cfilter *cf,
|
||||||
|
struct Curl_easy *data, bool premature)
|
||||||
|
{
|
||||||
|
@@ -324,15 +333,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
|
||||||
|
Curl_bufq_free(&stream->recvbuf);
|
||||||
|
Curl_h1_req_parse_free(&stream->h1);
|
||||||
|
Curl_dynhds_free(&stream->resp_trailers);
|
||||||
|
- if(stream->push_headers) {
|
||||||
|
- /* if they weren't used and then freed before */
|
||||||
|
- for(; stream->push_headers_used > 0; --stream->push_headers_used) {
|
||||||
|
- free(stream->push_headers[stream->push_headers_used - 1]);
|
||||||
|
- }
|
||||||
|
- free(stream->push_headers);
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
free(stream);
|
||||||
|
H2_STREAM_LCTX(data) = NULL;
|
||||||
|
}
|
||||||
|
@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||||
|
struct curl_pushheaders heads;
|
||||||
|
CURLMcode rc;
|
||||||
|
CURLcode result;
|
||||||
|
- size_t i;
|
||||||
|
/* clone the parent */
|
||||||
|
struct Curl_easy *newhandle = h2_duphandle(cf, data);
|
||||||
|
if(!newhandle) {
|
||||||
|
@@ -905,11 +905,7 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||||
|
Curl_set_in_callback(data, false);
|
||||||
|
|
||||||
|
/* free the headers again */
|
||||||
|
- for(i = 0; i<stream->push_headers_used; i++)
|
||||||
|
- free(stream->push_headers[i]);
|
||||||
|
- free(stream->push_headers);
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
- stream->push_headers_used = 0;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
|
||||||
|
if(rv) {
|
||||||
|
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
|
||||||
|
@@ -1430,14 +1426,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
|
||||||
|
if(stream->push_headers_alloc > 1000) {
|
||||||
|
/* this is beyond crazy many headers, bail out */
|
||||||
|
failf(data_s, "Too many PUSH_PROMISE headers");
|
||||||
|
- Curl_safefree(stream->push_headers);
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||||
|
}
|
||||||
|
stream->push_headers_alloc *= 2;
|
||||||
|
- headp = Curl_saferealloc(stream->push_headers,
|
||||||
|
- stream->push_headers_alloc * sizeof(char *));
|
||||||
|
+ headp = realloc(stream->push_headers,
|
||||||
|
+ stream->push_headers_alloc * sizeof(char *));
|
||||||
|
if(!headp) {
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||||
|
}
|
||||||
|
stream->push_headers = headp;
|
@ -21,6 +21,10 @@ Patch002: 0002-curl-8.6.0-ignore-response-body-to-HEAD.patch
|
|||||||
# it breaks pycurl tests suite
|
# it breaks pycurl tests suite
|
||||||
Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch
|
Patch003: 0003-curl-8.6.0-vtls-revert-receive-max-buffer-add-test-case.patch
|
||||||
|
|
||||||
|
# http2: push headers better cleanup (CVE-2024-2398)
|
||||||
|
# provide common cleanup method for push headers
|
||||||
|
Patch004: 0004-curl-8.6.0-CVE-2024-2398.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user