This patch fixes an instance of undefined behavior in mod_http2 with LogLevel >= trace2.
Please see the h2_h2_process_conn() function in h2_h2.c:631. The call to ap_log_cerror() passes a pointer to a non-null terminated buffer while specifying %s in the format string. This causes an out-of-bounds access, and the behavior is undefined: h2_h2.c(631): [client 127.0.0.1:22398] h2_h2, not detected in 24 bytes: GET /Azimuthal_equidista\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd \xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd... I attached the patch with a fix for this issue. Regards, Evgeny Kotkov
Index: modules/http2/h2_h2.c =================================================================== --- modules/http2/h2_h2.c (revision 1747688) +++ modules/http2/h2_h2.c (working copy) @@ -629,8 +629,8 @@ int h2_h2_process_conn(conn_rec* c) } else { ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, - "h2_h2, not detected in %d bytes: %s", - (int)slen, s); + "h2_h2, not detected in %d bytes: %.*s", + (int)slen, (int)slen, s); } apr_brigade_destroy(temp);