From a87f202b4973925e95029c2ce28108171c4b93c2 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 9 Nov 2017 11:23:00 +0100 Subject: [PATCH] BUG/MEDIUM: h2: reject non-3-digit status codes If the H1 parser would report a status code length not consisting in exactly 3 digits, the error case was confused with a lack of buffer room and was causing the parser to loop infinitely. --- src/mux_h2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 3696521bb..415362051 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2609,7 +2609,13 @@ static int h2s_frt_make_resp_headers(struct h2s *h2s, struct buffer *buf) outbuf.str[outbuf.len++] = 0x88; // indexed field : idx[08]=(":status", "200") else if (outbuf.len < outbuf.size && h1m->status == 304) outbuf.str[outbuf.len++] = 0x8b; // indexed field : idx[11]=(":status", "304") - else if (list[0].v.len == 3 && outbuf.len + 2 + 3 <= outbuf.size) { + else if (unlikely(list[0].v.len != 3)) { + /* this is an unparsable response */ + h2s_error(h2s, H2_ERR_INTERNAL_ERROR); + ret = 0; + goto end; + } + else if (unlikely(outbuf.len + 2 + 3 <= outbuf.size)) { /* basic encoding of the status code */ outbuf.str[outbuf.len++] = 0x48; // indexed name -- name=":status" (idx 8) outbuf.str[outbuf.len++] = 0x03; // 3 bytes status