From 12a2eebaf20111dcfdb670abb88543d74533b8c8 Mon Sep 17 00:00:00 2001
From: Yang_X_Y <yangxinyu@nfschina.com>
Date: Wed, 15 May 2024 09:19:24 +0800
Subject: [PATCH] fix cve-2024-2398\2466

---
 0001-fix-cve-2024-2398-2466.patch | 116 ++++++++++++++++++++++++++++++
 curl.spec                         |   7 +-
 2 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-cve-2024-2398-2466.patch

diff --git a/0001-fix-cve-2024-2398-2466.patch b/0001-fix-cve-2024-2398-2466.patch
new file mode 100644
index 0000000..690261d
--- /dev/null
+++ b/0001-fix-cve-2024-2398-2466.patch
@@ -0,0 +1,116 @@
+From 38cc553a34d2a58049332dde5f1448056d08f48f Mon Sep 17 00:00:00 2001
+From: Yang_X_Y <yangxinyu@nfschina.com>
+Date: Tue, 14 May 2024 16:08:48 +0800
+Subject: [PATCH] fix-cve-2024-2398\2466
+
+---
+ lib/http2.c        | 34 +++++++++++++++-------------------
+ lib/vtls/mbedtls.c | 15 +++++++--------
+ 2 files changed, 22 insertions(+), 27 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 9738484..55d5b56 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
+   return CURLE_OK;
+ }
+ 
++static void free_push_headers(struct stream_ctx *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static void http2_data_done(struct Curl_cfilter *cf,
+                             struct Curl_easy *data, bool premature)
+ {
+@@ -318,15 +327,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
+   Curl_bufq_free(&stream->recvbuf);
+   Curl_h1_req_parse_free(&stream->h1);
+   Curl_dynhds_free(&stream->resp_trailers);
+-  if(stream->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; stream->push_headers_used > 0; --stream->push_headers_used) {
+-      free(stream->push_headers[stream->push_headers_used - 1]);
+-    }
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-  }
+-
++  free_push_headers(stream);
+   free(stream);
+   H2_STREAM_LCTX(data) = NULL;
+ }
+@@ -873,7 +874,6 @@ static int push_promise(struct Curl_cfilter *cf,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     CURLcode result;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = h2_duphandle(cf, data);
+     if(!newhandle) {
+@@ -918,11 +918,7 @@ static int push_promise(struct Curl_cfilter *cf,
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1452,14 +1448,14 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+       if(stream->push_headers_alloc > 1000) {
+         /* this is beyond crazy many headers, bail out */
+         failf(data_s, "Too many PUSH_PROMISE headers");
+-        Curl_safefree(stream->push_headers);
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 38f7de7..2618f47 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -640,14 +640,13 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
+                               &backend->clicert, &backend->pk);
+   }
+ 
+-  if(connssl->peer.sni) {
+-    if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni)) {
+-      /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
+-         the name to set in the SNI extension. So even if curl connects to a
+-         host specified as an IP address, this function must be used. */
+-      failf(data, "Failed to set SNI");
+-      return CURLE_SSL_CONNECT_ERROR;
+-    }
++  if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni?
++                              connssl->peer.sni : connssl->peer.hostname)) {
++    /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
++       the name to set in the SNI extension. So even if curl connects to a
++       host specified as an IP address, this function must be used. */
++    failf(data, "Failed to set SNI");
++    return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
+ #ifdef HAS_ALPN
+-- 
+2.33.0
+
diff --git a/curl.spec b/curl.spec
index 91056c4..8b4a2bf 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 8.5.0
@@ -88,6 +88,8 @@ BuildRequires: valgrind
 # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
 Requires: libcurl >= %{version}-%{release}
 
+Patch: 0001-fix-cve-2024-2398-2466.patch
+
 %description
 curl is a command line tool for transferring data with URL syntax, supporting
 FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
@@ -366,6 +368,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
 %doc docs/TheArtOfHttpScripting.md
 
 %changelog
+* Tue May 14 2024 yangxinyu <yangxinyu@nfschina.com> - 8.5.0-2
+- fix cve-2024-2398\2466
+
 * Thu Dec 07 2023 Funda Wang <fundawang@yeah.net> - 8.5.0-1
 - New version 8.5.0
 - Add forgotten errorcodes.pl (upstream issue#12462)
-- 
Gitee