From d85ba4e092997d2a05cd811534c61946c57133a4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 12:12:17 +0100
Subject: [PATCH] BUG/MINOR: hpack: reject invalid header index

If the hpack decoder sees an invalid header index, it emits value
"### ERR ###" that was used during debugging instead of rejecting the
block. This is harmless, and was detected by h2spec.

To backport to 1.8.
---
 include/common/hpack-tbl.h |  6 ++++++
 src/hpack-dec.c            | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/include/common/hpack-tbl.h b/include/common/hpack-tbl.h
index 5de9d201e8..824c40018e 100644
--- a/include/common/hpack-tbl.h
+++ b/include/common/hpack-tbl.h
@@ -154,6 +154,12 @@ static inline const struct hpack_dte *hpack_get_dte(const struct hpack_dht *dht,
 	return &dht->dte[idx];
 }
 
+/* returns non-zero if <idx> is valid for table <dht> */
+static inline int hpack_valid_idx(const struct hpack_dht *dht, uint16_t idx)
+{
+	return idx < dht->used + HPACK_SHT_SIZE;
+}
+
 /* return a pointer to the header name for entry <dte>. */
 static inline struct ist hpack_get_name(const struct hpack_dht *dht, const struct hpack_dte *dte)
 {
diff --git a/src/hpack-dec.c b/src/hpack-dec.c
index 1a776bca76..0515d011be 100644
--- a/src/hpack-dec.c
+++ b/src/hpack-dec.c
@@ -177,6 +177,11 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 				goto leave;
 			}
 
+			if (!hpack_valid_idx(dht, idx)) {
+				ret = -HPACK_ERR_TOO_LARGE;
+				goto leave;
+			}
+
 			value = hpack_alloc_string(tmp, idx, hpack_idx_to_value(dht, idx));
 			if (!value.ptr) {
 				ret = -HPACK_ERR_TOO_LARGE;
@@ -316,6 +321,11 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 				goto leave;
 			}
 
+			if (!hpack_valid_idx(dht, idx)) {
+				ret = -HPACK_ERR_TOO_LARGE;
+				goto leave;
+			}
+
 			/* retrieve value */
 			huff = *raw & 0x80;
 			vlen = get_var_int(&raw, &len, 7);