BUG/MINOR: qpack: reject invalid increment count decoding

Close the connection using QPACK_DECODER_STREAM_ERROR when receiving an invalid insert count increment. As haproxy does not use dynamic table, this instruction must never be emitted by the peer. Prior to this patch, haproxy silently ignored such instruction which is not conform to the QUIC specification. This should be backported up to 2.6. Note that on 2.6 qcc_set_error() must be replaced by function qcc_emit_cc_app().
2025-04-11 03:31:36 +00:00 · 2024-02-14 16:59:24 +01:00 · 2024-02-14 16:59:24 +01:00 · bd71212ea9
commit bd71212ea9
parent cc29ab437e
1 changed files with 12 additions and 0 deletions
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@ -173,6 +173,18 @@ int qpack_decode_dec(struct buffer *buf, int fin, void *ctx)
 	inst = (unsigned char)*b_head(buf) & QPACK_DEC_INST_BITMASK;
 	if (inst == QPACK_DEC_INST_ICINC) {
 		/* Insert count increment */
+
+		/* RFC 9204 4.4.3. Insert Count Increment
+		 *
+		 * An encoder that receives an Increment field equal to zero, or one
+		 * that increases the Known Received Count beyond what the encoder has
+		 * sent, MUST treat this as a connection error of type
+		 * QPACK_DECODER_STREAM_ERROR.
+		 */
+
+		/* For the moment haproxy does not emit dynamic table insertion. */
+		qcc_set_error(qcs->qcc, QPACK_DECODER_STREAM_ERROR, 1);
+		return -1;
 	}
 	else if (inst & QPACK_DEC_INST_SACK) {
 		/* Section Acknowledgment */