This patch applies against httpd-2.4.23 and shouldn't be needed in later releases http://openwall.com/lists/oss-security/2016/12/05/17 Index: modules/http2/h2_stream.c =================================================================== --- modules/http2/h2_stream.c (revision 1771866) +++ modules/http2/h2_stream.c (working copy) @@ -322,18 +322,18 @@ HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); } } - } - - if (h2_stream_is_scheduled(stream)) { - return h2_request_add_trailer(stream->request, stream->pool, - name, nlen, value, vlen); - } - else { - if (!input_open(stream)) { - return APR_ECONNRESET; + + if (h2_stream_is_scheduled(stream)) { + return h2_request_add_trailer(stream->request, stream->pool, + name, nlen, value, vlen); } - return h2_request_add_header(stream->request, stream->pool, - name, nlen, value, vlen); + else { + if (!input_open(stream)) { + return APR_ECONNRESET; + } + return h2_request_add_header(stream->request, stream->pool, + name, nlen, value, vlen); + } } }