Hi, OpenSSL passes out and outlen variable uninitialized to select_next_proto_cb callback function. If the callback function returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled values in out and outlen and processes as such. Previously, if there is no overlap in protocol lists, curl code does not fill any values in these variables and returns SSL_TLSEXT_ERR_OK, which means we are triggering undefined behavior. valgrind warns this.
This patch fixes this issue by filling HTTP/2 protocol identifier nghttp2 library supports when there is no overlap. Unlike ALPN, NPN specification https://technotes.googlecode.com/git/nextprotoneg.html says that client should select first protocol it supports if there is no overlap. Best regards, Tatsuhiro Tsujikawa
0001-openssl-Fix-uninitialized-variable-use-in-NPN-callba.patch.gz
Description: GNU Zip compressed data
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
