fix CVE-2024-2398
(cherry picked from commit 574a8c9bdb9097b061cf7f611cb9a4d2d2bab93a)
This commit is contained in:
sherlock2010
openeuler-sync-bot
parent
98a8f38632
commit
48a611d9a7
89
backport-CVE-2024-2398.patch
Normal file
89
backport-CVE-2024-2398.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Eissing <stefan@eissing.org>
|
||||||
|
Date: Wed, 6 Mar 2024 09:36:08 +0100
|
||||||
|
Subject: [PATCH] http2: push headers better cleanup
|
||||||
|
|
||||||
|
- provide common cleanup method for push headers
|
||||||
|
|
||||||
|
Closes #13054
|
||||||
|
|
||||||
|
Conflict:NA
|
||||||
|
Reference:http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.16.debian.tar.xz
|
||||||
|
---
|
||||||
|
lib/http2.c | 32 ++++++++++++++------------------
|
||||||
|
1 file changed, 14 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index 6d63f43..f5c6013 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -547,6 +547,15 @@ static int set_transfer_url(struct Curl_easy *data,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void free_push_headers(struct HTTP *stream)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+ for(i = 0; i<stream->push_headers_used; i++)
|
||||||
|
+ free(stream->push_headers[i]);
|
||||||
|
+ Curl_safefree(stream->push_headers);
|
||||||
|
+ stream->push_headers_used = 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int push_promise(struct Curl_easy *data,
|
||||||
|
struct connectdata *conn,
|
||||||
|
const nghttp2_push_promise *frame)
|
||||||
|
@@ -560,7 +569,6 @@ static int push_promise(struct Curl_easy *data,
|
||||||
|
struct curl_pushheaders heads;
|
||||||
|
CURLMcode rc;
|
||||||
|
struct http_conn *httpc;
|
||||||
|
- size_t i;
|
||||||
|
/* clone the parent */
|
||||||
|
struct Curl_easy *newhandle = duphandle(data);
|
||||||
|
if(!newhandle) {
|
||||||
|
@@ -596,11 +604,7 @@ static int push_promise(struct Curl_easy *data,
|
||||||
|
Curl_set_in_callback(data, false);
|
||||||
|
|
||||||
|
/* free the headers again */
|
||||||
|
- for(i = 0; i<stream->push_headers_used; i++)
|
||||||
|
- free(stream->push_headers[i]);
|
||||||
|
- free(stream->push_headers);
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
- stream->push_headers_used = 0;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
|
||||||
|
if(rv) {
|
||||||
|
DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
|
||||||
|
@@ -1037,10 +1041,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
|
||||||
|
stream->push_headers_alloc) {
|
||||||
|
char **headp;
|
||||||
|
stream->push_headers_alloc *= 2;
|
||||||
|
- headp = Curl_saferealloc(stream->push_headers,
|
||||||
|
- stream->push_headers_alloc * sizeof(char *));
|
||||||
|
+ headp = realloc(stream->push_headers,
|
||||||
|
+ stream->push_headers_alloc * sizeof(char *));
|
||||||
|
if(!headp) {
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||||
|
}
|
||||||
|
stream->push_headers = headp;
|
||||||
|
@@ -1206,15 +1210,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
|
||||||
|
setup */
|
||||||
|
Curl_dyn_free(&http->header_recvbuf);
|
||||||
|
Curl_dyn_free(&http->trailer_recvbuf);
|
||||||
|
- if(http->push_headers) {
|
||||||
|
- /* if they weren't used and then freed before */
|
||||||
|
- for(; http->push_headers_used > 0; --http->push_headers_used) {
|
||||||
|
- free(http->push_headers[http->push_headers_used - 1]);
|
||||||
|
- }
|
||||||
|
- free(http->push_headers);
|
||||||
|
- http->push_headers = NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ free_push_headers(http);
|
||||||
|
if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
|
||||||
|
!httpc->h2) /* not HTTP/2 ? */
|
||||||
|
return;
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.79.1
|
Version: 7.79.1
|
||||||
Release: 27
|
Release: 28
|
||||||
Summary: Curl is used in command lines or scripts to transfer data
|
Summary: Curl is used in command lines or scripts to transfer data
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://curl.haxx.se/
|
URL: https://curl.haxx.se/
|
||||||
@ -96,6 +96,7 @@ Patch82: backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch
|
|||||||
Patch83: backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch
|
Patch83: backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch
|
||||||
Patch84: backport-transfer-also-stop-the-sending-on-closed-connection.patch
|
Patch84: backport-transfer-also-stop-the-sending-on-closed-connection.patch
|
||||||
Patch85: backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch
|
Patch85: backport-openssl-avoid-BN_num_bits-NULL-pointer-derefs.patch
|
||||||
|
Patch86: backport-CVE-2024-2398.patch
|
||||||
|
|
||||||
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
|
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
|
||||||
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
|
BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel
|
||||||
@ -264,6 +265,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 29 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-28
|
||||||
|
- Type:CVE
|
||||||
|
- CVE:CVE-2024-2398
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix CVE-2024-2398
|
||||||
|
|
||||||
* Fri Jan 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-27
|
* Fri Jan 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.79.1-27
|
||||||
- Type:bugfix
|
- Type:bugfix
|
||||||
- CVE:NA
|
- CVE:NA
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user