haproxy

mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-28 15:42:30 +00:00

History

Willy Tarreau 3ca2365904 BUG/MEDIUM: h2: report frame bits only for handled types As part of his GREASE experiments on Chromium, Bence B�ky reported in https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0202.html and https://bugs.chromium.org/p/chromium/issues/detail?id=1127060 that a certain combination of frame type and frame flags was causing an error on app.slack.com. It turns out that it's haproxy that is causing this issue because the frame type is wrongly assumed to support padding, the frame flags indicate padding is present, and the frame is too short for this, resulting in an error. The reason why only some frame types are affected is due to the frame type being used in a bit shift to match against a mask, and where the 5 lower bits of the frame type only are used to compute the frame bit. If the resulting frame bit matches a DATA, HEADERS or PUSH_PROMISE frame bit, then padding support is assumed and the test is enforced, resulting in a PROTOCOL_ERROR or FRAME_SIZE_ERROR depending on the payload size. We must never match any such bit for unsupported frame types so let's add a check for this. This must be backported as far as 1.8. Thanks to Cooper Bethea for providing enough context to help narrow the issue down and to Bence B�ky for creating a simple reproducer.	2020-09-18 08:05:03 +02:00
..
haproxy	BUG/MEDIUM: h2: report frame bits only for handled types	2020-09-18 08:05:03 +02:00
import	CLEANUP: assorted typo fixes in the code and comments	2020-06-26 11:27:28 +02:00

Willy Tarreau 3ca2365904 BUG/MEDIUM: h2: report frame bits only for handled types

As part of his GREASE experiments on Chromium, Bence B�ky reported in
https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0202.html
and https://bugs.chromium.org/p/chromium/issues/detail?id=1127060 that
a certain combination of frame type and frame flags was causing an error
on app.slack.com. It turns out that it's haproxy that is causing this
issue because the frame type is wrongly assumed to support padding, the
frame flags indicate padding is present, and the frame is too short for
this, resulting in an error.

The reason why only some frame types are affected is due to the frame
type being used in a bit shift to match against a mask, and where the
5 lower bits of the frame type only are used to compute the frame bit.
If the resulting frame bit matches a DATA, HEADERS or PUSH_PROMISE frame
bit, then padding support is assumed and the test is enforced, resulting
in a PROTOCOL_ERROR or FRAME_SIZE_ERROR depending on the payload size.

We must never match any such bit for unsupported frame types so let's
add a check for this. This must be backported as far as 1.8.

Thanks to Cooper Bethea for providing enough context to help narrow the
issue down and to Bence B�ky for creating a simple reproducer.

2020-09-18 08:05:03 +02:00

haproxy

BUG/MEDIUM: h2: report frame bits only for handled types

2020-09-18 08:05:03 +02:00

import

CLEANUP: assorted typo fixes in the code and comments

2020-06-26 11:27:28 +02:00