Skip to content

Commit

Permalink
test curl NULL deref patch 2
Browse files Browse the repository at this point in the history
  • Loading branch information
vszakats committed Oct 10, 2023
1 parent 705bc45 commit cc34c15
Showing 1 changed file with 72 additions and 0 deletions.
72 changes: 72 additions & 0 deletions curl.dev.patch
Original file line number Diff line number Diff line change
@@ -1,3 +1,48 @@
diff --git a/lib/cf-h2-proxy.c b/lib/cf-h2-proxy.c
index dbc895d26..9db820cc8 100644
--- a/lib/cf-h2-proxy.c
+++ b/lib/cf-h2-proxy.c
@@ -929,10 +929,18 @@ static CURLcode proxy_h2_submit(int32_t *pstream_id,

for(i = 0; i < nheader; ++i) {
struct dynhds_entry *e = Curl_dynhds_getn(&h2_headers, i);
- nva[i].name = (unsigned char *)e->name;
- nva[i].namelen = e->namelen;
- nva[i].value = (unsigned char *)e->value;
- nva[i].valuelen = e->valuelen;
+ if(e) {
+ nva[i].name = (unsigned char *)e->name;
+ nva[i].namelen = e->namelen;
+ nva[i].value = (unsigned char *)e->value;
+ nva[i].valuelen = e->valuelen;
+ }
+ else {
+ nva[i].name = NULL;
+ nva[i].namelen = 0;
+ nva[i].value = NULL;
+ nva[i].valuelen = 0;
+ }
nva[i].flags = NGHTTP2_NV_FLAG_NONE;
}

diff --git a/lib/dynhds.c b/lib/dynhds.c
index 979b3e825..153bcdade 100644
--- a/lib/dynhds.c
+++ b/lib/dynhds.c
@@ -171,7 +171,7 @@ CURLcode Curl_dynhds_add(struct dynhds *dynhds,
if(dynhds->strs_len + namelen + valuelen > dynhds->max_strs_size)
return CURLE_OUT_OF_MEMORY;

-entry = entry_new(name, namelen, value, valuelen, dynhds->opts);
+ entry = entry_new(name, namelen, value, valuelen, dynhds->opts);
if(!entry)
goto out;

@@ -364,4 +364,3 @@ CURLcode Curl_dynhds_h1_dprint(struct dynhds *dynhds, struct dynbuf *dbuf)

return result;
}
-
diff --git a/lib/http2.c b/lib/http2.c
index c8b059498..04dee198c 100644
--- a/lib/http2.c
Expand Down Expand Up @@ -25,3 +70,30 @@ index c8b059498..04dee198c 100644
nva[i].flags = NGHTTP2_NV_FLAG_NONE;
}

diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c
index 7d681e585..db1292271 100644
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@@ -1704,10 +1704,18 @@ static ssize_t h3_stream_open(struct Curl_cfilter *cf,

for(i = 0; i < nheader; ++i) {
struct dynhds_entry *e = Curl_dynhds_getn(&h2_headers, i);
- nva[i].name = (unsigned char *)e->name;
- nva[i].namelen = e->namelen;
- nva[i].value = (unsigned char *)e->value;
- nva[i].valuelen = e->valuelen;
+ if(e) {
+ nva[i].name = (unsigned char *)e->name;
+ nva[i].namelen = e->namelen;
+ nva[i].value = (unsigned char *)e->value;
+ nva[i].valuelen = e->valuelen;
+ }
+ else {
+ nva[i].name = NULL;
+ nva[i].namelen = 0;
+ nva[i].value = NULL;
+ nva[i].valuelen = 0;
+ }
nva[i].flags = NGHTTP3_NV_FLAG_NONE;
}

0 comments on commit cc34c15

Please sign in to comment.