]> granicus.if.org Git - curl/commitdiff
http2: handle on_begin_headers() called more than once
authorDaniel Stenberg <daniel@haxx.se>
Wed, 18 Apr 2018 21:51:01 +0000 (23:51 +0200)
committerDaniel Stenberg <daniel@haxx.se>
Thu, 19 Apr 2018 06:06:40 +0000 (08:06 +0200)
This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764

lib/http2.c

index 6758f9554dfcf79ede2b042e70e1ab4f44e8d0ad..e60ae247b484bc04859562439981910a1acff52f 100644 (file)
@@ -870,16 +870,12 @@ static int on_begin_headers(nghttp2_session *session,
     return 0;
   }
 
-  /* This is trailer HEADERS started.  Allocate buffer for them. */
-  H2BUGF(infof(data_s, "trailer field started\n"));
-
-  DEBUGASSERT(stream->trailer_recvbuf == NULL);
-
-  stream->trailer_recvbuf = Curl_add_buffer_init();
   if(!stream->trailer_recvbuf) {
-    return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+    stream->trailer_recvbuf = Curl_add_buffer_init();
+    if(!stream->trailer_recvbuf) {
+      return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+    }
   }
-
   return 0;
 }