From edc8c917108fec0d42aa7bff3631ec6508f290bf Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Fri, 29 Mar 2024 09:10:34 +0000
Subject: [PATCH] fix CVE-2024-2398

(cherry picked from commit 229588cc4074344d6cea95bf9cc30ebd057d9c5f)
---
 backport-CVE-2024-2398.patch | 89 ++++++++++++++++++++++++++++++++++++
 curl.spec                    |  9 +++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-2398.patch

diff --git a/backport-CVE-2024-2398.patch b/backport-CVE-2024-2398.patch
new file mode 100644
index 0000000..54c0434
--- /dev/null
+++ b/backport-CVE-2024-2398.patch
@@ -0,0 +1,89 @@
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Conflict:Context adapt
+Reference:http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.81.0-1ubuntu1.16.debian.tar.xz
+---
+ lib/http2.c | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 6d63f43..f5c6013 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -547,6 +547,15 @@ static int set_transfer_url(struct Curl_easy *data,
+   return 0;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+                         struct connectdata *conn,
+                         const nghttp2_push_promise *frame)
+@@ -560,7 +569,6 @@ static int push_promise(struct Curl_easy *data,
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -596,11 +604,7 @@ static int push_promise(struct Curl_easy *data,
+     Curl_set_in_callback(data, false);
+
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+
+     if(rv) {
+       /* denied, kill off the new handle again */
+@@ -1037,10 +1041,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1206,15 +1210,7 @@ void Curl_http2_done(struct Curl_easy *data, bool premature)
+   /* there might be allocated resources done before this got the 'h2' pointer
+      setup */
+   Curl_dyn_free(&http->header_recvbuf);
+-  if(http->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
+-  }
+-
++  free_push_headers(http);
+   if(!httpc->h2) /* not HTTP/2 ? */
+     return;
+
+--
+2.33.0
diff --git a/curl.spec b/curl.spec
index 082ff72..99ef7a1 100644
--- a/curl.spec
+++ b/curl.spec
@@ -6,7 +6,7 @@
 
 Name:           curl
 Version:        7.71.1
-Release:        32
+Release:        33
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        MIT
 URL:            https://curl.haxx.se/
@@ -72,6 +72,7 @@ Patch159:       backport-0001-CVE-2023-46218.patch
 Patch160:       backport-0002-CVE-2023-46218.patch
 Patch161:       backport-0001-CVE-2023-46219.patch
 Patch162:       backport-0002-CVE-2023-46219.patch
+Patch163:       backport-CVE-2024-2398.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -236,6 +237,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Fri Mar 29 2024 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-33
+- Type:CVE
+- CVE:CVE-2024-2398
+- SUG:NA
+- DESC:fix CVE-2024-2398
+
 * Fri Dec 08 2023 zhouyihang <zhouyihang3@h-partners.com> - 7.71.1-32
 - Type:CVE
 - CVE:CVE-2023-46218 CVE-2023-46219