debian/patches/CVE-2021-31618.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Description: fix NULL pointer dereference on specially crafted HTTP/2 request
Author: Upstream
Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
Bug-Debian: https://bugs.debian.org/989562
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2021-06-10

--- a/modules/http2/h2_stream.c
+++ b/modules/http2/h2_stream.c
@@ -638,7 +638,7 @@
 
 static void set_error_response(h2_stream *stream, int http_status)
 {
-    if (!h2_stream_is_ready(stream)) {
+    if (!h2_stream_is_ready(stream) && stream->rtmp) {
         conn_rec *c = stream->session->c;
         apr_bucket *b;
         h2_headers *response;