fix CVE-2024-2398

(cherry picked from commit 574a8c9bdb9097b061cf7f611cb9a4d2d2bab93a)
2024-03-29 08:34:17 +00:00 · 2024-03-29 08:34:17 +00:00 · 48a611d9a7
commit 48a611d9a7
parent 98a8f38632
2 changed files with 97 additions and 1 deletions
--- a/backport-CVE-2024-2398.patch
+++ b/backport-CVE-2024-2398.patch
@ -0,0 +1,89 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+ 
+- provide common cleanup method for push headers
+ 
+Closes #13054
+ 
+Conflict:NA
+Reference:http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.16.debian.tar.xz
+---
+ lib/http2.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+ 
+diff --git a/lib/http2.c b/lib/http2.c
+index 6d63f43..f5c6013 100644
+--- a/lib/http2.c
+++ b/lib/http2.c
+@@ -547,6 +547,15 @@ static int set_transfer_url(struct Curl_easy *data,
+   return 0;
+ }
+ 
+static void free_push_headers(struct HTTP *stream)
+{
+  size_t i;
+  for(i = 0; i<stream->push_headers_used; i++)
+    free(stream->push_headers[i]);
+  Curl_safefree(stream->push_headers);
+  stream->push_headers_used = 0;
+}
+
+ static int push_promise(struct Curl_easy *data,
+                         struct connectdata *conn,
+                         const nghttp2_push_promise *frame)
+@@ -560,7 +569,6 @@ static int push_promise(struct Curl_easy *data,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -596,11 +604,7 @@ static int push_promise(struct Curl_easy *data,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
+    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1037,10 +1041,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
+      headp = realloc(stream->push_headers,
+                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
+        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1206,15 +1210,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+      setup */
+   Curl_dyn_free(&http->header_recvbuf);
+   Curl_dyn_free(&http->trailer_recvbuf);
+-  if(http->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
+-  }
+-
+  free_push_headers(http);
+   if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+      !httpc->h2) /* not HTTP/2 ? */
+     return;
+-- 
+2.33.0
--- a/curl.spec
+++ b/curl.spec
@ -6,7 +6,7 @@

 Name:           curl
 Version:        7.79.1
-Release:        27
+Release:        28
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@ -96,6 +96,7 @@ Patch82:        backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch
 Patch83:        backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch
 Patch84:        backport-transfer-also-stop-the-sending-on-closed-connection.patch
 Patch85:        backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch
+Patch86:        backport-CVE-2024-2398.patch

 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@ -264,6 +265,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*

 %changelog
+* Fri Mar 29 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-28
+- Type:CVE
+- CVE:CVE-2024-2398
+- SUG:NA
+- DESC:fix CVE-2024-2398
+
 * Fri Jan 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-27
 - Type:bugfix
 - CVE:NA