BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames

While parsing a headers frame, if the frame is wrapped in the buffer
and needs to be unwrapped, it will be duplicated before being processed.
But if it contains certain combinations of invalid flags, the parser
returns without releasing the temporary buffer leading to a memory
leak.

This fix needs to be backported to 1.8.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 1596f376c1c3d440e6f05a564be929b4613b531e..f7e327e0798f4d0b5eae204373c4fd87474f96d6 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2746,7 +2746,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
                if (h2c->dpl >= flen) {
                        /* RFC7540#6.2 : pad length = length of frame payload or greater */
                        h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-                       return 0;
+                       goto fail;
                }
                flen -= h2c->dpl + 1;
                hdrs += 1; // skip Pad Length
@@ -2757,7 +2757,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
                if (read_n32(hdrs) == h2s->id) {
                        /* RFC7540#5.3.1 : stream dep may not depend on itself */
                        h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-                       return 0;//goto fail_stream;
+                       goto fail;
                }
 
                hdrs += 5; // stream dep = 4, weight = 1