]> git.kaiwu.me - nginx.git/commitdiff
HTTP/2: fixed overlapping memcpy in CONTINUATION frames
authorFeng Wu <wufengwufengwufeng@gmail.com>
Sun, 21 Jun 2026 09:30:29 +0000 (17:30 +0800)
committerAndrew Clayton <a.clayton@nginx.com>
Wed, 24 Jun 2026 16:57:50 +0000 (17:57 +0100)
When processing CONTINUATION frames, ngx_http_v2_handle_continuation()
used ngx_memcpy() to shift header block fragment data past the frame
header.  If the fragment is larger than the frame header (9 bytes),
the source and destination regions overlap, which is undefined
behavior for memcpy.  The same function already uses ngx_memmove()
for another overlapping shift.

src/http/v2/ngx_http_v2.c

index 69cb0ae09a6629cc032e8cca7d7b8e0532971f76..7b1efa3ec9c84f1c5af46ba856365c897ddc1a8a 100644 (file)
@@ -1967,7 +1967,7 @@ ngx_http_v2_handle_continuation(ngx_http_v2_connection_t *h2c, u_char *pos,
     p = pos;
     pos += NGX_HTTP_V2_FRAME_HEADER_SIZE;
 
-    ngx_memcpy(pos, p, len);
+    ngx_memmove(pos, p, len);
 
     len = ngx_http_v2_parse_length(head);