From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 21 Apr 2018 10:33:52 +0000 (+0200)
Subject: http2: convert an assert to run-time check
X-Git-Tag: curl-7_60_0~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a3589ccd0dbf5f3a826b669517ccc12893fa153;p=thirdparty%2Fcurl.git

http2: convert an assert to run-time check

Fuzzing has proven we can reach code in on_frame_recv with status_code
not having been set, so let's detect that in run-time (instead of with
assert) and error error accordingly.

(This should no longer happen with the latest nghttp2)

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
Closes #2514
---

diff --git a/lib/http2.c b/lib/http2.c
index fe5fdb1b82..7dea16125e 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -624,8 +624,10 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame,
     }
 
     /* nghttp2 guarantees that :status is received, and we store it to
-       stream->status_code */
-    DEBUGASSERT(stream->status_code != -1);
+       stream->status_code. Fuzzing has proven this can still be reached
+       without status code having been set. */
+    if(stream->status_code == -1)
+      return NGHTTP2_ERR_CALLBACK_FAILURE;
 
     /* Only final status code signals the end of header */
     if(stream->status_code / 100 != 1) {