From 2d71bdcf8b34d9a44608920e34f2d031b3a938b6 Mon Sep 17 00:00:00 2001 From: Feng Wu Date: Sun, 21 Jun 2026 17:30:29 +0800 Subject: [PATCH] HTTP/2: fixed overlapping memcpy in CONTINUATION frames When processing CONTINUATION frames, ngx_http_v2_handle_continuation() used ngx_memcpy() to shift header block fragment data past the frame header. If the fragment is larger than the frame header (9 bytes), the source and destination regions overlap, which is undefined behavior for memcpy. The same function already uses ngx_memmove() for another overlapping shift. --- src/http/v2/ngx_http_v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 69cb0ae09..7b1efa3ec 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1967,7 +1967,7 @@ ngx_http_v2_handle_continuation(ngx_http_v2_connection_t *h2c, u_char *pos, p = pos; pos += NGX_HTTP_V2_FRAME_HEADER_SIZE; - ngx_memcpy(pos, p, len); + ngx_memmove(pos, p, len); len = ngx_http_v2_parse_length(head); -- 2.47.3