HTTP/2 fix with realloc (CVE-2019-9518)

Origin: backport, https://github.com/apache/trafficserver/pull/5850
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-08-26

Last-Update: 2019-08-26
Gbp-Pq: Name 0015-8.0.5-CVE-backport.patch

diff --git a/proxy/http2/Http2ConnectionState.cc b/proxy/http2/Http2ConnectionState.cc
index af61dd8582a1615fd41d10c11e2617fffe0de15f..1460e45457f0051537291e594e8ed8bd2311eb72 100644 (file)
--- a/proxy/http2/Http2ConnectionState.cc
+++ b/proxy/http2/Http2ConnectionState.cc
@@ -304,10 +304,12 @@ rcv_headers_frame(Http2ConnectionState &cstate, const Http2Frame &frame)
     }
   }
 
-  stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
-  frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
+  if (header_block_fragment_length > 0) {
+    stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
+    frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
 
-  stream->header_blocks_length = header_block_fragment_length;
+    stream->header_blocks_length = header_block_fragment_length;
+  }
 
   if (frame.header().flags & HTTP2_FLAGS_HEADERS_END_HEADERS) {
     // NOTE: If there are END_HEADERS flag, decode stored Header Blocks.