BUG/MEDIUM: mux-h2: properly deal with too large headers frames

In h2c_decode_headers(), now that we support CONTINUATION frames, we
try to defragment all pending frames at once before processing them.
However if the first is exactly full and the second cannot be parsed,
we don't detect the problem and we wait for the next part forever due
to an incorrect check on exit; we must abort the processing as soon as
the current frame remains full after defragmentation as in this case
there is no way to make forward progress.

Thanks to Yves Lafon for providing traces exhibiting the problem.

This must be backported to 1.9.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index a6d89b92d48790c2b26036f43a443476465feda1..55d69a28e0dbce01c1ddc4eb1ab53fe807578084 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3579,7 +3579,7 @@ next_frame:
                b_sub(&h2c->dbuf, hole);
        }
 
-       if (b_full(&h2c->dbuf) && h2c->dfl > b_data(&h2c->dbuf)) {
+       if (b_full(&h2c->dbuf) && h2c->dfl >= b_data(&h2c->dbuf)) {
                /* too large frames */
                h2c_error(h2c, H2_ERR_INTERNAL_ERROR);
                ret = -1;