From 0ab90acaf328ecbd5e3a3ea705ea59b5c674f20a Mon Sep 17 00:00:00 2001 From: James M Snell Date: Fri, 13 Apr 2018 08:11:26 -0700 Subject: [PATCH] test: add regression test for nghttp2 CVE-2018-1000168 PR-URL: https://github.com/nodejs-private/node-private/pull/124 Reviewed-By: Matteo Collina Reviewed-By: Evan Lucas --- test/common/http2.js | 10 +++++ test/parallel/test-http2-malformed-altsvc.js | 39 ++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 test/parallel/test-http2-malformed-altsvc.js diff --git a/test/common/http2.js b/test/common/http2.js index 1d4c269fffd5b5..6b010cdae0f340 100644 --- a/test/common/http2.js +++ b/test/common/http2.js @@ -127,8 +127,18 @@ class PingFrame extends Frame { } } +class AltSvcFrame extends Frame { + constructor(size) { + const buffers = [Buffer.alloc(size)]; + super(size, 10, 0, 0); + buffers.unshift(this[kFrameData]); + this[kFrameData] = Buffer.concat(buffers); + } +} + module.exports = { Frame, + AltSvcFrame, DataFrame, HeadersFrame, SettingsFrame, diff --git a/test/parallel/test-http2-malformed-altsvc.js b/test/parallel/test-http2-malformed-altsvc.js new file mode 100644 index 00000000000000..28c0fb46b42281 --- /dev/null +++ b/test/parallel/test-http2-malformed-altsvc.js @@ -0,0 +1,39 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const http2 = require('http2'); +const net = require('net'); +const h2test = require('../common/http2'); + +const server = http2.createServer(); +server.on('stream', common.mustNotCall()); + +const settings = new h2test.SettingsFrame(); +const settingsAck = new h2test.SettingsFrame(true); +const altsvc = new h2test.AltSvcFrame((1 << 14) + 1); + +server.listen(0, () => { + const client = net.connect(server.address().port, () => { + client.write(h2test.kClientMagic, () => { + client.write(settings.data, () => { + client.write(settingsAck.data); + // Prior to nghttp2 1.31.1, sending this malformed altsvc frame + // would cause a segfault. This test is successful if a segfault + // does not occur. + client.write(altsvc.data, common.mustCall(() => { + client.destroy(); + })); + }); + }); + }); + + // An error may or may not be emitted on the client side, we don't care + // either way if it is, but we don't want to die if it is. + client.on('error', () => {}); + client.on('close', common.mustCall(() => server.close())); + client.resume(); +});