From: Bryan Call <bcall@apache.org>
Date: Sun, 6 Dec 2020 16:00:17 +0000 (+0000)
Subject: HTTP/2 fix with realloc (CVE-2019-9518)
X-Git-Tag: archive/raspbian/8.0.2+ds-1+rpi1+deb10u4^2~8
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=8f74b87e830a7330d63108081bc916d9fd39c597;p=trafficserver.git

HTTP/2 fix with realloc (CVE-2019-9518)

Origin: backport, https://github.com/apache/trafficserver/pull/5850
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-08-26

Last-Update: 2019-08-26
Gbp-Pq: Name 0015-8.0.5-CVE-backport.patch
---

diff --git a/proxy/http2/Http2ConnectionState.cc b/proxy/http2/Http2ConnectionState.cc
index af61dd85..1460e454 100644
--- a/proxy/http2/Http2ConnectionState.cc
+++ b/proxy/http2/Http2ConnectionState.cc
@@ -304,10 +304,12 @@ rcv_headers_frame(Http2ConnectionState &cstate, const Http2Frame &frame)
     }
   }
 
-  stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
-  frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
+  if (header_block_fragment_length > 0) {
+    stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
+    frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
 
-  stream->header_blocks_length = header_block_fragment_length;
+    stream->header_blocks_length = header_block_fragment_length;
+  }
 
   if (frame.header().flags & HTTP2_FLAGS_HEADERS_END_HEADERS) {
     // NOTE: If there are END_HEADERS flag, decode stored Header Blocks.