Blame SOURCES/nginx-1.14.1-CVE-2019-9516.patch
|
 |
0abed9 |
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
|
|
0abed9 |
index 0aaea47..fd6ecb0 100644
|
|
|
0abed9 |
--- a/src/http/v2/ngx_http_v2.c
|
|
|
0abed9 |
+++ b/src/http/v2/ngx_http_v2.c
|
|
|
0abed9 |
@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
|
|
|
0abed9 |
header->name.len = h2c->state.field_end - h2c->state.field_start;
|
|
|
0abed9 |
header->name.data = h2c->state.field_start;
|
|
|
0abed9 |
|
|
|
0abed9 |
+ if (header->name.len == 0) {
|
|
|
0abed9 |
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
|
|
0abed9 |
+ "client sent zero header name length");
|
|
|
0abed9 |
+
|
|
|
0abed9 |
+ return ngx_http_v2_connection_error(h2c,
|
|
|
0abed9 |
+ NGX_HTTP_V2_PROTOCOL_ERROR);
|
|
|
0abed9 |
+ }
|
|
|
0abed9 |
+
|
|
|
0abed9 |
return ngx_http_v2_state_field_len(h2c, pos, end);
|
|
|
0abed9 |
}
|
|
|
0abed9 |
|
|
|
0abed9 |
@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
|
|
|
0abed9 |
ngx_uint_t i;
|
|
|
0abed9 |
ngx_http_core_srv_conf_t *cscf;
|
|
|
0abed9 |
|
|
|
0abed9 |
- if (header->name.len == 0) {
|
|
|
0abed9 |
- return NGX_ERROR;
|
|
|
0abed9 |
- }
|
|
|
0abed9 |
-
|
|
|
0abed9 |
r->invalid_header = 0;
|
|
|
0abed9 |
|
|
|
0abed9 |
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
|