From 000d6a097e3c1af754e39fa44382ca3f56cb3a16 Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Sat, 29 Oct 2022 13:33:47 +0100
Subject: [PATCH] HTTP/2 fix with realloc (CVE-2019-9518)

Origin: backport, https://github.com/apache/trafficserver/pull/5850
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-08-26

Last-Update: 2019-08-26
Gbp-Pq: Name 0015-8.0.5-CVE-backport.patch
---
 proxy/http2/Http2ConnectionState.cc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/proxy/http2/Http2ConnectionState.cc b/proxy/http2/Http2ConnectionState.cc
index af61dd85..1460e454 100644
--- a/proxy/http2/Http2ConnectionState.cc
+++ b/proxy/http2/Http2ConnectionState.cc
@@ -304,10 +304,12 @@ rcv_headers_frame(Http2ConnectionState &cstate, const Http2Frame &frame)
     }
   }
 
-  stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
-  frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
+  if (header_block_fragment_length > 0) {
+    stream->header_blocks = static_cast<uint8_t *>(ats_malloc(header_block_fragment_length));
+    frame.reader()->memcpy(stream->header_blocks, header_block_fragment_length, header_block_fragment_offset);
 
-  stream->header_blocks_length = header_block_fragment_length;
+    stream->header_blocks_length = header_block_fragment_length;
+  }
 
   if (frame.header().flags & HTTP2_FLAGS_HEADERS_END_HEADERS) {
     // NOTE: If there are END_HEADERS flag, decode stored Header Blocks.
-- 
2.30.2