Skip to content

Commit

Permalink
test: add regression test for nghttp2 CVE-2018-1000168
Browse files Browse the repository at this point in the history
PR-URL: https://github.com/nodejs-private/node-private/pull/124
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
  • Loading branch information
jasnell authored and evanlucas committed Jun 12, 2018
1 parent 65ed321 commit 0ab90ac
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
10 changes: 10 additions & 0 deletions test/common/http2.js
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,18 @@ class PingFrame extends Frame {
}
}

class AltSvcFrame extends Frame {
constructor(size) {
const buffers = [Buffer.alloc(size)];
super(size, 10, 0, 0);
buffers.unshift(this[kFrameData]);
this[kFrameData] = Buffer.concat(buffers);
}
}

module.exports = {
Frame,
AltSvcFrame,
DataFrame,
HeadersFrame,
SettingsFrame,
Expand Down
39 changes: 39 additions & 0 deletions test/parallel/test-http2-malformed-altsvc.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
'use strict';

const common = require('../common');

if (!common.hasCrypto)
common.skip('missing crypto');

const http2 = require('http2');
const net = require('net');
const h2test = require('../common/http2');

const server = http2.createServer();
server.on('stream', common.mustNotCall());

const settings = new h2test.SettingsFrame();
const settingsAck = new h2test.SettingsFrame(true);
const altsvc = new h2test.AltSvcFrame((1 << 14) + 1);

server.listen(0, () => {
const client = net.connect(server.address().port, () => {
client.write(h2test.kClientMagic, () => {
client.write(settings.data, () => {
client.write(settingsAck.data);
// Prior to nghttp2 1.31.1, sending this malformed altsvc frame
// would cause a segfault. This test is successful if a segfault
// does not occur.
client.write(altsvc.data, common.mustCall(() => {
client.destroy();
}));
});
});
});

// An error may or may not be emitted on the client side, we don't care
// either way if it is, but we don't want to die if it is.
client.on('error', () => {});
client.on('close', common.mustCall(() => server.close()));
client.resume();
});

0 comments on commit 0ab90ac

Please sign in to comment.