BUG/MINOR: h2: forbid 'Z' as well in header field names checks

The current tests in h2_make_htx_request(), h2_make_htx_response()
and h2_make_htx_trailers() check for an interval between 'A' and 'Z'
for letters in header field names that should be forbidden, but
mistakenly leave the 'Z' out of the forbidden range, resulting in it
being implicitly valid.

This has no real consequences but should be fixed for the sake of
protocol validity checking.

This must be backported to all relevant versions.

diff --git a/src/h2.c b/src/h2.c
index 491f62323c25c9eab7131f4513ffe31ff1753eb4..9cc006ea938a6bc92220a03b772cab4e953b736d 100644 (file)
--- a/src/h2.c
+++ b/src/h2.c
@@ -349,7 +349,7 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
                        phdr = h2_str_to_phdr(list[idx].n);
 
                        for (i = !!phdr; i < list[idx].n.len; i++)
-                               if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+                               if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
                                        goto fail;
                }
 
@@ -665,7 +665,7 @@ int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *m
                        phdr = h2_str_to_phdr(list[idx].n);
 
                        for (i = !!phdr; i < list[idx].n.len; i++)
-                               if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+                               if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
                                        goto fail;
                }
 
@@ -828,7 +828,7 @@ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx)
                 * also catches pseudo-headers which are forbidden in trailers.
                 */
                for (i = 0; i < list[idx].n.len; i++)
-                       if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+                       if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
                                goto fail;
 
                /* these ones are forbidden in trailers (RFC7540#8.1.2.2) */