File CVE-2019-9516.patch of Package nginx.12403

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-9516.patch of Package nginx.12403

commit 6dfbc8b1c2116f362bb871efebbf9df576738e89
Author: Sergey Kandaurov <pluknet@nginx.com>
Date:   Tue Aug 13 15:43:32 2019 +0300

HTTP/2: reject zero length headers with PROTOCOL_ERROR.
    
    Fixed uncontrolled memory growth if peer sends a stream of
    headers with a 0-length header name and 0-length header value.
    Fix is to reject headers with zero name length.

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 9571e710..72d5aa50 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
         header->name.len = h2c->state.field_end - h2c->state.field_start;
         header->name.data = h2c->state.field_start;
 
+        if (header->name.len == 0) {
+            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                          "client sent zero header name length");
+
+            return ngx_http_v2_connection_error(h2c,
+                                                NGX_HTTP_V2_PROTOCOL_ERROR);
+        }
+
         return ngx_http_v2_state_field_len(h2c, pos, end);
     }
 
@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
     ngx_uint_t                 i;
     ngx_http_core_srv_conf_t  *cscf;
 
-    if (header->name.len == 0) {
-        return NGX_ERROR;
-    }
-
     r->invalid_header = 0;
 
     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

Places

File CVE-2019-9516.patch of Package nginx.12403

Places