From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 8 Oct 2025 10:22:22 +0000 (+0200)
Subject: http2: check push header names by length first
X-Git-Tag: rc-8_17_0-3~254
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93e91e965e80b94b559293b93d4fb3360b8281a3;p=thirdparty%2Fcurl.git

http2: check push header names by length first

Reported-by: Joshua Rogers
Closes #18930
---

diff --git a/lib/http2.c b/lib/http2.c
index c33c633cf6..ff53fc4b94 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1590,7 +1590,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
   if(frame->hd.type == NGHTTP2_PUSH_PROMISE) {
     char *h;
 
-    if(!strcmp(HTTP_PSEUDO_AUTHORITY, (const char *)name)) {
+    if((namelen == (sizeof(HTTP_PSEUDO_AUTHORITY)-1)) &&
+       !strncmp(HTTP_PSEUDO_AUTHORITY, (const char *)name, namelen)) {
       /* pseudo headers are lower case */
       int rc = 0;
       char *check = curl_maprintf("%s:%d", cf->conn->host.name,