From cb1847c77285ba6dbd413774fcf2282cafa19bd2 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 21 Apr 2021 11:11:21 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames When header are splitted over several frames, payload of HEADERS and CONTINUATION frames are merged to form a unique HEADERS frame before decoding the payload. To do so, info about the current frame are updated (dff, dfl..) with info of the next one. Here there is a bug when the frame length (dfl) is update. We must add the next frame length (hdr.dfl) and not only the amount of data found in the buffer (clen). Because HEADERS frames are decoded in one pass, dfl value is the whole frame length or 0. nothing intermediary. This patch must be backported as far as 2.0. --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 695eb160d..35767b185 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4642,7 +4642,7 @@ next_frame: * above). The hole moves after the new aggragated frame. */ b_move(&h2c->dbuf, b_peek_ofs(&h2c->dbuf, h2c->dfl + hole + 9), clen, -(h2c->dpl + hole + 9)); - h2c->dfl += clen - h2c->dpl; + h2c->dfl += hdr.len - h2c->dpl; hole += h2c->dpl + 9; h2c->dpl = 0; TRACE_STATE("waiting for next continuation frame", H2_EV_RX_FRAME|H2_EV_RX_FHDR|H2_EV_RX_CONT|H2_EV_RX_HDR, h2c->conn);