diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2024-2398.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2024-2398.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 | ||
4 | From: Stefan Eissing <stefan@eissing.org> | ||
5 | Date: Wed, 6 Mar 2024 09:36:08 +0100 | ||
6 | Subject: [PATCH] http2: push headers better cleanup | ||
7 | |||
8 | - provide common cleanup method for push headers | ||
9 | |||
10 | Closes #13054 | ||
11 | |||
12 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security | ||
13 | Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] | ||
14 | CVE: CVE-2024-2398 | ||
15 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
16 | --- | ||
17 | lib/http2.c | 34 +++++++++++++++------------------- | ||
18 | 1 file changed, 15 insertions(+), 19 deletions(-) | ||
19 | |||
20 | --- a/lib/http2.c | ||
21 | +++ b/lib/http2.c | ||
22 | @@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc | ||
23 | } | ||
24 | |||
25 | |||
26 | +static void free_push_headers(struct HTTP *stream) | ||
27 | +{ | ||
28 | + size_t i; | ||
29 | + for(i = 0; i<stream->push_headers_used; i++) | ||
30 | + free(stream->push_headers[i]); | ||
31 | + Curl_safefree(stream->push_headers); | ||
32 | + stream->push_headers_used = 0; | ||
33 | +} | ||
34 | + | ||
35 | static int push_promise(struct Curl_easy *data, | ||
36 | struct connectdata *conn, | ||
37 | const nghttp2_push_promise *frame) | ||
38 | @@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy | ||
39 | struct curl_pushheaders heads; | ||
40 | CURLMcode rc; | ||
41 | struct http_conn *httpc; | ||
42 | - size_t i; | ||
43 | /* clone the parent */ | ||
44 | struct Curl_easy *newhandle = duphandle(data); | ||
45 | if(!newhandle) { | ||
46 | @@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy | ||
47 | Curl_set_in_callback(data, false); | ||
48 | |||
49 | /* free the headers again */ | ||
50 | - for(i = 0; i<stream->push_headers_used; i++) | ||
51 | - free(stream->push_headers[i]); | ||
52 | - free(stream->push_headers); | ||
53 | - stream->push_headers = NULL; | ||
54 | - stream->push_headers_used = 0; | ||
55 | + free_push_headers(stream); | ||
56 | |||
57 | if(rv) { | ||
58 | /* denied, kill off the new handle again */ | ||
59 | @@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se | ||
60 | stream->push_headers_alloc) { | ||
61 | char **headp; | ||
62 | stream->push_headers_alloc *= 2; | ||
63 | - headp = Curl_saferealloc(stream->push_headers, | ||
64 | - stream->push_headers_alloc * sizeof(char *)); | ||
65 | + headp = realloc(stream->push_headers, | ||
66 | + stream->push_headers_alloc * sizeof(char *)); | ||
67 | if(!headp) { | ||
68 | - stream->push_headers = NULL; | ||
69 | + free_push_headers(stream); | ||
70 | return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; | ||
71 | } | ||
72 | stream->push_headers = headp; | ||
73 | @@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d | ||
74 | if(http->header_recvbuf) { | ||
75 | Curl_add_buffer_free(&http->header_recvbuf); | ||
76 | Curl_add_buffer_free(&http->trailer_recvbuf); | ||
77 | - if(http->push_headers) { | ||
78 | - /* if they weren't used and then freed before */ | ||
79 | - for(; http->push_headers_used > 0; --http->push_headers_used) { | ||
80 | - free(http->push_headers[http->push_headers_used - 1]); | ||
81 | - } | ||
82 | - free(http->push_headers); | ||
83 | - http->push_headers = NULL; | ||
84 | - } | ||
85 | + free_push_headers(http); | ||
86 | } | ||
87 | |||
88 | if(!httpc->h2) /* not HTTP/2 ? */ | ||