Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations

Summary: The HTTP/2 proxy implementation in curl contains potential integer overflow vulnerabilities in buffer size calculations that could lead to memory corruption or denial of service. AI Usage Statement: This report was prepared by a human security researcher after manual code review. No AI was used to generate this report. Affected Version: All curl versions containing the HTTP/2 proxy implementation (since introduction of the feature). Tested with curl 8.6.0 on Linux x86_64. Examine the window size calculations in cf-h2-proxy.c: #define PROXY_H2_CHUNK_SIZE (16*1024) #define H2_TUNNEL_WINDOW_SIZE (10 * 1024 * 1024) #define PROXY_H2_NW_RECV_CHUNKS (H2_TUNNEL_WINDOW_SIZE / PROXY_H2_CHUNK_SIZE) The calculation H2_TUNNEL_WINDOW_SIZE / PROXY_H2_CHUNK_SIZE could overflow if either value is manipulated via malicious HTTP/2 frames. nghttp2_session_set_local_window_size(ctx->h2, NGHTTP2_FLAG_NONE, 0, PROXY_HTTP2_HUGE_WINDOW_SIZE); uses a 100MB window size (PROXY_HTTP2_HUGE_WINDOW_SIZE) which could lead to memory exhaustion. Supporting Material/References: The vulnerable code is in lib/cf-h2-proxy.c in the curl source repository Similar vulnerabilities have been found in other HTTP/2 implementations (CVE-2019-9511, CVE-2019-9513) ## Impact An attacker controlling a malicious HTTP/2 proxy server could potentially: Cause integer overflows leading to memory corruption Trigger resource exhaustion via extremely large window sizes Cause denial of service through crafted window size advertisements The impact is limited to: Systems using curl with HTTP/2 proxy support enabled When connecting to untrusted or compromised HTTP/2 proxies Requires the attacker to be in a MITM position or control the proxy server Recommended Fixes Add bounds checking for window size calculations Implement reasonable maximum limits for window sizes Add validation of window size advertisements from peers Consider using saturating arithmetic for size calculations Additional Information This vulnerability was discovered through manual code review focusing on integer handling in the HTTP/2 proxy implementation. The risk is somewhat mitigated by the fact that it requires proxy server compromise or MITM position, but the potential impact justifies addressing these issues. The vulnerability shares characteristics with known HTTP/2 implementation flaws that have been exploited in other software (e.g., nghttp2, Apache HTTP Server).