BUG/MINOR: hpack: reject invalid header index

If the hpack decoder sees an invalid header index, it emits value "### ERR ###" that was used during debugging instead of rejecting the block. This is harmless, and was detected by h2spec. To backport to 1.8.
2017-12-03 12:12:17 +01:00 · 2017-12-03 12:12:17 +01:00 · d85ba4e092
parent 4235d18214
commit d85ba4e092
2 changed files with 16 additions and 0 deletions
--- a/include/common/hpack-tbl.h
+++ b/include/common/hpack-tbl.h
@ -154,6 +154,12 @@ static inline const struct hpack_dte *hpack_get_dte(const struct hpack_dht *dht,
 	return &dht->dte[idx];
 }

+/* returns non-zero if <idx> is valid for table <dht> */
+static inline int hpack_valid_idx(const struct hpack_dht *dht, uint16_t idx)
+{
+	return idx < dht->used + HPACK_SHT_SIZE;
+}
+
 /* return a pointer to the header name for entry <dte>. */
 static inline struct ist hpack_get_name(const struct hpack_dht *dht, const struct hpack_dte *dte)
 {
--- a/src/hpack-dec.c
+++ b/src/hpack-dec.c
@ -177,6 +177,11 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 				goto leave;
 			}

+			if (!hpack_valid_idx(dht, idx)) {
+				ret = -HPACK_ERR_TOO_LARGE;
+				goto leave;
+			}
+
 			value = hpack_alloc_string(tmp, idx, hpack_idx_to_value(dht, idx));
 			if (!value.ptr) {
 				ret = -HPACK_ERR_TOO_LARGE;
@ -316,6 +321,11 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 				goto leave;
 			}

+			if (!hpack_valid_idx(dht, idx)) {
+				ret = -HPACK_ERR_TOO_LARGE;
+				goto leave;
+			}
+
 			/* retrieve value */
 			huff = *raw & 0x80;
 			vlen = get_var_int(&raw, &len, 7);