MINOR: h3: fix potential NULL dereference

Fix potential allocation failure of HTX start-line during H3 request
decoding. In this case, h3_decode_qcs returns -1 as error code.

This addresses in part github issue #1445.

diff --git a/src/h3.c b/src/h3.c
index afcefef599fef9fa230cfa14c35192b1197a8a11..20f202c2e783a680ad89acf3cda1faa698fede0f 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -93,7 +93,9 @@ static inline size_t h3_decode_frm_header(uint64_t *ftype, uint64_t *flen,
        return hlen;
 }
 
-/* Decode <qcs> remotely initiated bidi-stream */
+/* Decode <qcs> remotely initiated bidi-stream.
+ * Returns <0 on error else 0.
+ */
 static int h3_decode_qcs(struct qcs *qcs, void *ctx)
 {
        struct buffer *rxbuf = &qcs->rx.buf;
@@ -171,6 +173,8 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx)
                        flags |= HTX_SL_F_VER_11;
 
                        sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0"));
+                       if (!sl)
+                               goto fail;
                        sl->flags |= HTX_SL_F_BODYLESS;
                        sl->info.req.meth = find_http_meth(meth.ptr, meth.len);
                        BUG_ON(sl->info.req.meth == HTTP_METH_OTHER);
@@ -215,7 +219,10 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx)
                b_del(rxbuf, flen);
        }
 
-       return 1;
+       return 0;
+
+ fail:
+       return -1;
 }
 
 /* Parse a SETTINGS frame which must not be truncated with <flen> as length from

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 9dec844e5b655c9b519bc37b0f96da1c2d263637..09722c063af96b604c74dc2b23556bdec59852e1 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -1828,7 +1828,7 @@ static int qc_handle_bidi_strm_frm(struct quic_rx_packet *pkt,
                    goto store_frm;
 
                ret = qc_strm_cpy(&strm->rx.buf, strm_frm);
-               if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) == -1) {
+               if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) < 0) {
                        TRACE_PROTO("Decoding error", QUIC_EV_CONN_PSTRM);
                        return 0;
                }