From: Christopher Faulet Date: Wed, 21 Apr 2021 08:39:53 +0000 (+0200) Subject: BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers X-Git-Tag: v2.4-dev17~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07f88d7582c80522b1e83b9bbc473d338e48fb85;p=thirdparty%2Fhaproxy.git BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers In the function decoding payload of HEADERS frames, an internal error is returned if the frame length is too large. it cannot exceed the buffer size. The same is true when headers are splitted on several frames. The payload of HEADERS and CONTINUATION frames are merged and the overall size must not exceed the buffer size. However, there is a bug when the current frame is big enough to only have the space for a part of the header of the next frame. Because, in this case, we wait for more data, to have the whole frame header. We don't properly detect that the headers are too large to be stored in one buffer. In fact the test to trigger this error is not accurate. When the buffer is full, the error is reported if the frame length exceeds the amount of data in the buffer. But in reality, an error must be reported when we are unable to decode the current frame while the buffer is full. Because, in this case, we know there is no way to change this state. When the bug happens, the H2 connection is woken up in loop, consumming all the CPU. But the traffic is not blocked for all that. This patch must be backported as far as 2.0. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index ac8071960d..695eb160d4 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4791,7 +4791,7 @@ next_frame: b_sub(&h2c->dbuf, hole); } - if (b_full(&h2c->dbuf) && h2c->dfl >= b_data(&h2c->dbuf)) { + if (b_full(&h2c->dbuf) && h2c->dfl) { /* too large frames */ h2c_error(h2c, H2_ERR_INTERNAL_ERROR); ret = -1;