new file mode 100644

@@ -0,0 +1,80 @@

+--- a/tests/nghttp2_session_test.c	2017-05-30 20:42:01.000000000 +0530

+@@ -81,8 +81,10 @@

+ } my_user_data;

+ 

+ static const nghttp2_nv reqnv[] = {

+-    MAKE_NV(":method", "GET"), MAKE_NV(":path", "/"),

+-    MAKE_NV(":scheme", "https"), MAKE_NV(":authority", "localhost"),

++    MAKE_NV(":method", "GET"),

++    MAKE_NV(":path", "/"),

++    MAKE_NV(":scheme", "https"),

++    MAKE_NV(":authority", "localhost"),

+ };

+ 

+ static const nghttp2_nv resnv[] = {

+@@ -938,7 +940,7 @@

+   stream = open_sent_stream2(session, 1, NGHTTP2_STREAM_CLOSING);

+ 

+   /* Set initial window size 16383 to check stream flow control,

+-     isolating it from the conneciton flow control */

++     isolating it from the connection flow control */

+   stream->local_window_size = 16383;

+ 

+   ud.data_chunk_recv_cb_called = 0;

+@@ -2295,6 +2297,31 @@

+ 

+   nghttp2_session_del(session);

+ 

++  /* send too large frame */

++  nghttp2_buf_reset(&buf);

++

++  nghttp2_session_client_new2(&session, &callbacks, &ud, option);

++

++  session->local_settings.max_frame_size = NGHTTP2_MAX_FRAME_SIZE_MIN - 1;

++

++  nghttp2_frame_hd_init(&hd, NGHTTP2_MAX_FRAME_SIZE_MIN + 1, NGHTTP2_ALTSVC,

++                        NGHTTP2_FLAG_NONE, 0);

++  nghttp2_frame_pack_frame_hd(buf.last, &hd);

++  buf.last += NGHTTP2_FRAME_HDLEN;

++  nghttp2_put_uint16be(buf.last, sizeof(origin) - 1);

++  buf.last += 2;

++  buf.last = nghttp2_cpymem(buf.last, origin, sizeof(origin) - 1);

++  memset(buf.last, 0, nghttp2_buf_avail(&buf));

++  buf.last += nghttp2_buf_avail(&buf);

++

++  ud.frame_recv_cb_called = 0;

++  rv = nghttp2_session_mem_recv(session, buf.pos, nghttp2_buf_len(&buf));

++

++  CU_ASSERT((ssize_t)nghttp2_buf_len(&buf) == rv);

++  CU_ASSERT(0 == ud.frame_recv_cb_called);

++

++  nghttp2_session_del(session);

++

+   /* received by server */

+   nghttp2_buf_reset(&buf);

+ 

+@@ -5876,9 +5903,8 @@

+ 

+   len = nghttp2_session_mem_send(session, &data);

+ 

+-  CU_ASSERT(len ==

+-            NGHTTP2_FRAME_HDLEN + 2 + sizeof(origin) - 1 + sizeof(field_value) -

+-                1);

++  CU_ASSERT(len == NGHTTP2_FRAME_HDLEN + 2 + sizeof(origin) - 1 +

++                       sizeof(field_value) - 1);

+ 

+   nghttp2_frame_unpack_frame_hd(&hd, data);

+ 

+--- a/lib/nghttp2_frame.c	2017-05-30 20:42:01.000000000 +0530

+@@ -215,6 +215,9 @@

+   nghttp2_ext_altsvc *altsvc;

+ 

+   altsvc = frame->payload;

++  if (altsvc == NULL) {

++    return;

++  }

+   /* We use the same buffer for altsvc->origin and

+      altsvc->field_value. */

+   nghttp2_mem_free(mem, altsvc->origin);

@@ -1,7 +1,7 @@

 Summary:    nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.

 Name:       nghttp2

 Version:    1.23.1

-Release:    1%{?dist}

+Release:    2%{?dist}

 License:    MIT

 URL:        https://nghttp2.org

 Group:      Applications/System

@@ -10,6 +10,8 @@ Distribution: Photon

 Source0:        https://github.com/nghttp2/nghttp2/releases/download/v1.23.1/%{name}-%{version}.tar.xz

 %define sha1 nghttp2=80758c07d20fcde717243c1a0baf99da78693fca

+Patch0:        CVE-2018-1000168.patch

+

 BuildRequires: c-ares-devel

 BuildRequires: openssl-devel

 BuildRequires: systemd

@@ -31,6 +33,7 @@ These are the header files of nghttp2.

 %prep

 %setup -q

+%patch0 -p1

 %build

 ./configure --prefix=%{_prefix}        \

@@ -58,5 +61,7 @@ rm %{buildroot}/%{_libdir}/*.la

 %{_libdir}/pkgconfig/*.pc

 %changelog

+*   Tue Jun 18 2018 Dweep Advani <dadvani@vmware.com> 1.23.1-2

+-   Fix of CVE-2018-1000168.

 *   Tue Jun 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.23.1-1

 -   First version