From 1e7d444eec69db192d026a542262891b8de89e0c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 24 Jan 2019 10:47:10 +0100 Subject: [PATCH] BUG/MINOR: hpack: return a compression error on invalid table size updates RFC7541#6.3 mandates that an error is reported when a dynamic table size update announces a size larger than the one configured with settings. This is tested by h2spec using test "hpack/6.3/1". This must be backported to 1.9 and possibly 1.8 as well. --- include/common/hpack-tbl.h | 1 + src/hpack-dec.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/include/common/hpack-tbl.h b/include/common/hpack-tbl.h index 385f3860b..2cbc2bf6c 100644 --- a/include/common/hpack-tbl.h +++ b/include/common/hpack-tbl.h @@ -127,6 +127,7 @@ enum { HPACK_ERR_MISSING_AUTHORITY, /* :authority is missing with CONNECT */ HPACK_ERR_SCHEME_NOT_ALLOWED, /* :scheme not allowed with CONNECT */ HPACK_ERR_PATH_NOT_ALLOWED, /* :path not allowed with CONNECT */ + HPACK_ERR_INVALID_ARGUMENT, /* an invalid argument was passed */ }; /* static header table as in RFC7541 Appendix A. [0] unused. */ diff --git a/src/hpack-dec.c b/src/hpack-dec.c index 148a9a215..e179f29d5 100644 --- a/src/hpack-dec.c +++ b/src/hpack-dec.c @@ -232,6 +232,12 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len, goto leave; } hpack_debug_printf(" new len=%u\n", idx); + + if (idx > dht->size) { + hpack_debug_printf("##ERR@%d##\n", __LINE__); + ret = -HPACK_ERR_INVALID_ARGUMENT; + goto leave; + } continue; } else if (!(*raw & (*raw - 0x10))) {