RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-26 22:52:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: h2: reject non-3-digit status codes

Browse Source 
If the H1 parser would report a status code length not consisting in
exactly 3 digits, the error case was confused with a lack of buffer
room and was causing the parser to loop infinitely.
This commit is contained in:
Willy Tarreau 2017-11-09 11:23:00 +01:00
parent 1b4cf9b754
commit a87f202b49
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/mux_h2.c
View File

@ -2609,7 +2609,13 @@ static int h2s_frt_make_resp_headers(struct h2s *h2s, struct buffer *buf)
outbuf.str[outbuf.len++] = 0x88; // indexed field : idx[08]=(":status", "200")
else if (outbuf.len < outbuf.size && h1m->status == 304)
outbuf.str[outbuf.len++] = 0x8b; // indexed field : idx[11]=(":status", "304")
else if (list[0].v.len == 3 && outbuf.len + 2 + 3 <= outbuf.size) {
else if (unlikely(list[0].v.len != 3)) {
/* this is an unparsable response */
h2s_error(h2s, H2_ERR_INTERNAL_ERROR);
ret = 0;
goto end;
}
else if (unlikely(outbuf.len + 2 + 3 <= outbuf.size)) {
/* basic encoding of the status code */
outbuf.str[outbuf.len++] = 0x48; // indexed name -- name=":status" (idx 8)
outbuf.str[outbuf.len++] = 0x03; // 3 bytes status