BUG/MINOR: h3: forbid 'Z' as well in header field names checks

The current tests in _h3_handle_hdr() and h3_trailers_to_htx() check
for an interval between 'A' and 'Z' for letters in header field names
that should be forbidden, but mistakenly leave the 'Z' out of the
forbidden range, resulting in it being implicitly valid.

This has no real consequences but should be fixed for the sake of
protocol validity checking.

This must be backported to all relevant versions.

diff --git a/src/h3.c b/src/h3.c
index f071748ee9a83a66e4e694590959fbd32903e1de..fdad3b06855ff4b0c6a1772f98474878fb973fcd 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -546,7 +546,7 @@ static int _h3_handle_hdr(struct qcs *qcs, const struct http_hdr *hdr)
 
        for (i = 0; i < istlen(name); ++i) {
                const char c = istptr(name)[i];
-               if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+               if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
                        TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
                        goto err;
                }
@@ -1425,7 +1425,7 @@ static ssize_t h3_trailers_to_htx(struct qcs *qcs, const struct buffer *buf,
 
                for (i = 0; i < list[hdr_idx].n.len; ++i) {
                        const char c = list[hdr_idx].n.ptr[i];
-                       if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+                       if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
                                TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
                                h3s->err = H3_ERR_MESSAGE_ERROR;
                                qcc_report_glitch(h3c->qcc, 1);