From 97215ca284fa7127f20248f00919a0d6df5b8819 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 29 Apr 2019 10:20:21 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h2: properly deal with too large headers frames In h2c_decode_headers(), now that we support CONTINUATION frames, we try to defragment all pending frames at once before processing them. However if the first is exactly full and the second cannot be parsed, we don't detect the problem and we wait for the next part forever due to an incorrect check on exit; we must abort the processing as soon as the current frame remains full after defragmentation as in this case there is no way to make forward progress. Thanks to Yves Lafon for providing traces exhibiting the problem. This must be backported to 1.9. --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index a6d89b92d..55d69a28e 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3579,7 +3579,7 @@ next_frame: b_sub(&h2c->dbuf, hole); } - if (b_full(&h2c->dbuf) && h2c->dfl > b_data(&h2c->dbuf)) { + if (b_full(&h2c->dbuf) && h2c->dfl >= b_data(&h2c->dbuf)) { /* too large frames */ h2c_error(h2c, H2_ERR_INTERNAL_ERROR); ret = -1;