cf-h2-proxy: drop interim responses

Any 1xx response before the CONNECT final one can be dropped as no one
uses those in the HTTP/2 proxy filter. This eliminates a potential
memory exhaustion by the famous malicious server on the internet.

Closes #21626

diff --git a/lib/cf-h2-proxy.c b/lib/cf-h2-proxy.c
index a0c5b143215f734b92e9825a9cf1ce33d6a91e10..1dfd0a0a46034b47ce0b121d12130aa45d941e3a 100644 (file)
--- a/lib/cf-h2-proxy.c
+++ b/lib/cf-h2-proxy.c
@@ -561,7 +561,7 @@ static int proxy_h2_on_header(nghttp2_session *session,
     struct http_resp *resp;
 
     /* status: always comes first, we might get more than one response,
-     * link the previous ones for keepers */
+     * discard previous, interim responses */
     result = Curl_http_decode_status(&http_status,
                                     (const char *)value, valuelen);
     if(result)
@@ -569,7 +569,8 @@ static int proxy_h2_on_header(nghttp2_session *session,
     result = Curl_http_resp_make(&resp, http_status, NULL);
     if(result)
       return NGHTTP2_ERR_CALLBACK_FAILURE;
-    resp->prev = ctx->tunnel.resp;
+    if(ctx->tunnel.resp)
+      Curl_http_resp_free(ctx->tunnel.resp);
     ctx->tunnel.resp = resp;
     CURL_TRC_CF(data, cf, "[%d] status: HTTP/2 %03d",
                 stream_id, ctx->tunnel.resp->status);