mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 00:20:08 +00:00
Code Issues Projects Releases Wiki Activity

nghttp2: Fix CVE-2026-27135

Browse Source 
Pick patch from [1] also mentioned in [2]
[1] https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27135

(From OE-Core rev: 892fdc819660ab67d9930e0ccb71e4138fcf1750)

Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Anil Dongare
2026-04-03 00:14:56 -07:00
committed by Paul Barker
parent 8e82d7a9bf
commit 4660614544
2 changed files with 113 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-support/nghttp2/nghttp2/CVE-2026-27135.patch
+110
View File
@@ -0,0 +1,110 @@
From f9812d447b14435de77751077ef48214ebf252ec Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 18 Feb 2026 18:04:30 +0900
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
failure
CVE: CVE-2026-27135
Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1]
(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1)
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 004a4dff..54312588 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -6079,6 +6079,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
on_begin_frame_called = 1;
rv = session_process_headers_frame(session);
@@ -6445,6 +6449,9 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
}
}
@@ -6701,6 +6708,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
session_inbound_frame_reset(session);
break;
@@ -7004,6 +7015,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
} else {
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
}
@@ -7169,6 +7184,11 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
rv = session->callbacks.on_data_chunk_recv_callback(
session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
in - readlen, (size_t)data_readlen, session->user_data);
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
if (rv == NGHTTP2_ERR_PAUSE) {
return (nghttp2_ssize)(in - first);
}
@@ -7256,6 +7276,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
if (rv != 0) {
busy = 1;
@@ -7274,6 +7298,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
session_inbound_frame_reset(session);
break;
@@ -7302,6 +7330,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (nghttp2_ssize)inlen;
+ }
+
session_inbound_frame_reset(session);
break;
--
2.43.7
meta/recipes-support/nghttp2/nghttp2_1.61.0.bb
+3 -1
View File
@@ -4,7 +4,9 @@ SECTION = "libs"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=764abdf30b2eadd37ce47dcbce0ea1ec"
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/nghttp2-${PV}.tar.xz"
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/nghttp2-${PV}.tar.xz \
file://CVE-2026-27135.patch \
"
SRC_URI[sha256sum] = "c0e660175b9dc429f11d25b9507a834fb752eea9135ab420bb7cb7e9dbcc9654"
inherit cmake manpages python3native github-releases