RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-05 11:39:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used

Browse Source 
Tim Dsterhus reported a possible crash in the H2 HEADERS frame decoder
when the PRIORITY flag is present. A check is missing to ensure the 5
extra bytes needed with this flag are actually part of the frame. As per
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.

Many thanks to Tim for responsibly reporting this issue with a working
config and reproducer. This issue was assigned CVE-2018-20615.

This fix must be backported to 1.9 and 1.8.
This commit is contained in:
Willy Tarreau 2018-12-31 07:41:24 +01:00
parent 202c6ce1a2
commit a01f45e3ce
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/mux_h2.c
View File

@ -3316,6 +3316,11 @@ next_frame:
goto fail;
}
if (flen < 5) {
h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
goto fail;
}
hdrs += 5; // stream dep = 4, weight = 1
flen -= 5;
}