]> git.kaiwu.me - nginx.git/commit
HTTP/2: fixed overlapping memcpy in CONTINUATION frames
authorFeng Wu <wufengwufengwufeng@gmail.com>
Sun, 21 Jun 2026 09:30:29 +0000 (17:30 +0800)
committerAndrew Clayton <a.clayton@nginx.com>
Wed, 24 Jun 2026 16:57:50 +0000 (17:57 +0100)
commit2d71bdcf8b34d9a44608920e34f2d031b3a938b6
tree90e0d9a9fd6a8d3d5661ee4a9c9ab3baf52619b3
parentbe84ac8bda2265d254f3ead9c3f0ba1d78a79319
HTTP/2: fixed overlapping memcpy in CONTINUATION frames

When processing CONTINUATION frames, ngx_http_v2_handle_continuation()
used ngx_memcpy() to shift header block fragment data past the frame
header.  If the fragment is larger than the frame header (9 bytes),
the source and destination regions overlap, which is undefined
behavior for memcpy.  The same function already uses ngx_memmove()
for another overlapping shift.
src/http/v2/ngx_http_v2.c