projects / nodejs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 005bca9)
[PATCH] http2: do not crash on mismatched ping buffer length
authorRené <contact.9a5d6388@renegade334.me.uk>
Wed, 8 Oct 2025 23:23:34 +0000 (00:23 +0100)
committerJérémy Lal <kapouer@melix.org>
Tue, 24 Mar 2026 21:11:25 +0000 (22:11 +0100)
PR-URL: https://github.com/nodejs/node/pull/60135
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch

lib/internal/http2/core.js patch | blob | history
test/parallel/test-http2-ping.js patch | blob | history

diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
index d0602acb0a9f092d331d13e4a65b9c09afa8e5f2..cc08f81a1cdbf14552a1134de56872c7155911e4 100644 (file)
--- a/lib/internal/http2/core.js
+++ b/lib/internal/http2/core.js
@@ -1413,9 +1413,9 @@ class Http2Session extends EventEmitter {
     }
     if (payload) {
       validateBuffer(payload, 'payload');
-    }
-    if (payload && payload.length !== 8) {
-      throw new ERR_HTTP2_PING_LENGTH();
+      if (payload.byteLength !== 8) {
+        throw new ERR_HTTP2_PING_LENGTH();
+      }
     }
     validateFunction(callback, 'callback');
 
diff --git a/test/parallel/test-http2-ping.js b/test/parallel/test-http2-ping.js
index 9a6b30194d0c300de46185170cb1a8bf571e6c56..90ef57e03ccf5998e7888760412806045eae8173 100644 (file)
--- a/test/parallel/test-http2-ping.js
+++ b/test/parallel/test-http2-ping.js
@@ -64,11 +64,11 @@ server.listen(0, common.mustCall(() => {
       })));
     }
     {
-      const payload = Buffer.from('abcdefgi');
+      const payload = new Uint16Array([1, 2, 3, 4]);
       assert(client.ping(payload, common.mustCall((err, duration, ret) => {
         assert.strictEqual(err, null);
         assert.strictEqual(typeof duration, 'number');
-        assert.deepStrictEqual(payload, ret);
+        assert.deepStrictEqual(payload.buffer, ret.buffer);
       })));
     }
 
@@ -99,7 +99,8 @@ server.listen(0, common.mustCall(() => {
     {
       const shortPayload = Buffer.from('abcdefg');
       const longPayload = Buffer.from('abcdefghi');
-      [shortPayload, longPayload].forEach((payloadWithInvalidLength) =>
+      const mismatchedPayload = new Uint32Array(8);
+      [shortPayload, longPayload, mismatchedPayload].forEach((payloadWithInvalidLength) =>
         assert.throws(
           () => client.ping(payloadWithInvalidLength),
           {
Unnamed repository; edit this file 'description' to name the repository.