Skip to content

Commit

Permalink
deps: update to nghttp2 1.32.0
Browse files Browse the repository at this point in the history
This fixes CVE-2018-1000168.

PR-URL: https://github.com/nodejs-private/node-private/pull/124
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
  • Loading branch information
jasnell authored and evanlucas committed Jun 12, 2018
1 parent 828159f commit 65ed321
Show file tree
Hide file tree
Showing 6 changed files with 126 additions and 50 deletions.
6 changes: 5 additions & 1 deletion deps/nghttp2/lib/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ target_include_directories(nghttp2 INTERFACE
"${CMAKE_CURRENT_SOURCE_DIR}/includes"
)

if(HAVE_CUNIT)
if(HAVE_CUNIT OR ENABLE_STATIC_LIB)
# Static library (for unittests because of symbol visibility)
add_library(nghttp2_static STATIC ${NGHTTP2_SOURCES})
set_target_properties(nghttp2_static PROPERTIES
Expand All @@ -58,6 +58,10 @@ if(HAVE_CUNIT)
ARCHIVE_OUTPUT_NAME nghttp2
)
target_compile_definitions(nghttp2_static PUBLIC "-DNGHTTP2_STATICLIB")
if(ENABLE_STATIC_LIB)
install(TARGETS nghttp2_static
DESTINATION "${CMAKE_INSTALL_LIBDIR}")
endif()
endif()

install(TARGETS nghttp2
Expand Down
10 changes: 10 additions & 0 deletions deps/nghttp2/lib/includes/nghttp2/nghttp2.h
Original file line number Diff line number Diff line change
Expand Up @@ -3081,6 +3081,16 @@ NGHTTP2_EXTERN int
nghttp2_session_set_stream_user_data(nghttp2_session *session,
int32_t stream_id, void *stream_user_data);

/**
* @function
*
* Sets |user_data| to |session|, overwriting the existing user data
* specified in `nghttp2_session_client_new()`, or
* `nghttp2_session_server_new()`.
*/
NGHTTP2_EXTERN void nghttp2_session_set_user_data(nghttp2_session *session,
void *user_data);

/**
* @function
*
Expand Down
4 changes: 2 additions & 2 deletions deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,14 @@
* @macro
* Version number of the nghttp2 library release
*/
#define NGHTTP2_VERSION "1.29.0"
#define NGHTTP2_VERSION "1.32.0"

/**
* @macro
* Numerical representation of the version number of the nghttp2 library
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
#define NGHTTP2_VERSION_NUM 0x011d00
#define NGHTTP2_VERSION_NUM 0x012000

#endif /* NGHTTP2VER_H */
3 changes: 3 additions & 0 deletions deps/nghttp2/lib/nghttp2_frame.c
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,9 @@ void nghttp2_frame_altsvc_free(nghttp2_extension *frame, nghttp2_mem *mem) {
nghttp2_ext_altsvc *altsvc;

altsvc = frame->payload;
if (altsvc == NULL) {
return;
}
/* We use the same buffer for altsvc->origin and
altsvc->field_value. */
nghttp2_mem_free(mem, altsvc->origin);
Expand Down
2 changes: 1 addition & 1 deletion deps/nghttp2/lib/nghttp2_http.c
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ static int http_response_on_header(nghttp2_stream *stream, nghttp2_hd_nv *nv,
return NGHTTP2_ERR_HTTP_HEADER;
}
stream->status_code = (int16_t)parse_uint(nv->value->base, nv->value->len);
if (stream->status_code == -1) {
if (stream->status_code == -1 || stream->status_code == 101) {
return NGHTTP2_ERR_HTTP_HEADER;
}
break;
Expand Down
Loading

0 comments on commit 65ed321

Please sign in to comment.