[PATCH] http2: fix check for `frame->hd.type`

Related to CVE-2025-23085
According to the comment, this should be checking whether
`frame->hd.type` is `NGHTTP2_GOAWAY`, i.e. `0x07` and not `0x03`.

PR-URL: https://github.com/nodejs/node/pull/57644
Refs: https://github.com/nodejs/node/commit/1b693fa03a0d36bc1dc9ec8d95060e3e5ceeee7b
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 12-http2-fix-check-for-frame-type-goaway.patch

diff --git a/src/node_http2.cc b/src/node_http2.cc
index 73a3836cfeff1bdc92511439e580fe0eea21cad5..ba01b6eab2ff00862a2e857bd8c3ab5ebc2747e8 100644 (file)
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -1195,7 +1195,7 @@ int Http2Session::OnFrameNotSent(nghttp2_session* handle,
     // closed but the Http2Session will still be up causing a memory leak.
     // Therefore, if the GOAWAY frame couldn't be send due to
     // ERR_SESSION_CLOSING we should force close from our side.
-    if (frame->hd.type != 0x03) {
+    if (frame->hd.type != NGHTTP2_GOAWAY) {
       return 0;
     }
   }

diff --git a/test/parallel/test-http2-premature-close.js b/test/parallel/test-http2-premature-close.js
index a9b08f55d8a3b85328b1e4c60cdb71c642d22d90..df30c429188b69561bae73ba8ab7f648cbe856d5 100644 (file)
--- a/test/parallel/test-http2-premature-close.js
+++ b/test/parallel/test-http2-premature-close.js
@@ -29,9 +29,9 @@ async function requestAndClose(server) {
     // Send a valid HEADERS frame
     const headersFrame = Buffer.concat([
       Buffer.from([
-        0x00, 0x00, 0x0c, // Length: 12 bytes
+        0x00, 0x00, 0x0e, // Length: 14 bytes
         0x01, // Type: HEADERS
-        0x05, // Flags: END_HEADERS + END_STREAM
+        0x04, // Flags: END_HEADERS
         (streamId >> 24) & 0xFF, // Stream ID: high byte
         (streamId >> 16) & 0xFF,
         (streamId >> 8) & 0xFF,
@@ -41,7 +41,7 @@ async function requestAndClose(server) {
         0x82, // Indexed Header Field Representation (Predefined ":method: GET")
         0x84, // Indexed Header Field Representation (Predefined ":path: /")
         0x86, // Indexed Header Field Representation (Predefined ":scheme: http")
-        0x44, 0x0a, // Custom ":authority: localhost"
+        0x41, 0x09, // ":authority: localhost" Length: 9 bytes
         0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74,
       ]),
     ]);