From: René <contact.9a5d6388@renegade334.me.uk>
Date: Wed, 8 Oct 2025 23:23:34 +0000 (+0100)
Subject: [PATCH] http2: do not crash on mismatched ping buffer length
X-Git-Tag: archive/raspbian/20.19.2+dfsg-1+rpi1+deb13u1^2~9
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22stanciumarius94%40gmail.com//%22mailto:i18n-csb%40linuxcsb.org/%22/%22http:/www.example.com/%22stanciumarius94%40gmail.com/%22mailto:i18n-csb%40linuxcsb.org/%22?a=commitdiff_plain;h=78540c74e23729add5c587868af76d51293ef9f8;p=nodejs.git

[PATCH] http2: do not crash on mismatched ping buffer length

PR-URL: https://github.com/nodejs/node/pull/60135
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Gbp-Pq: Topic sec
Gbp-Pq: Name 28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch
---

diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
index d0602acb0..cc08f81a1 100644
--- a/lib/internal/http2/core.js
+++ b/lib/internal/http2/core.js
@@ -1413,9 +1413,9 @@ class Http2Session extends EventEmitter {
     }
     if (payload) {
       validateBuffer(payload, 'payload');
-    }
-    if (payload && payload.length !== 8) {
-      throw new ERR_HTTP2_PING_LENGTH();
+      if (payload.byteLength !== 8) {
+        throw new ERR_HTTP2_PING_LENGTH();
+      }
     }
     validateFunction(callback, 'callback');
 
diff --git a/test/parallel/test-http2-ping.js b/test/parallel/test-http2-ping.js
index 9a6b30194..90ef57e03 100644
--- a/test/parallel/test-http2-ping.js
+++ b/test/parallel/test-http2-ping.js
@@ -64,11 +64,11 @@ server.listen(0, common.mustCall(() => {
       })));
     }
     {
-      const payload = Buffer.from('abcdefgi');
+      const payload = new Uint16Array([1, 2, 3, 4]);
       assert(client.ping(payload, common.mustCall((err, duration, ret) => {
         assert.strictEqual(err, null);
         assert.strictEqual(typeof duration, 'number');
-        assert.deepStrictEqual(payload, ret);
+        assert.deepStrictEqual(payload.buffer, ret.buffer);
       })));
     }
 
@@ -99,7 +99,8 @@ server.listen(0, common.mustCall(() => {
     {
       const shortPayload = Buffer.from('abcdefg');
       const longPayload = Buffer.from('abcdefghi');
-      [shortPayload, longPayload].forEach((payloadWithInvalidLength) =>
+      const mismatchedPayload = new Uint32Array(8);
+      [shortPayload, longPayload, mismatchedPayload].forEach((payloadWithInvalidLength) =>
         assert.throws(
           () => client.ping(payloadWithInvalidLength),
           {