From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 8 Jun 2022 16:21:32 +0000 (+0200)
Subject: BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing
X-Git-Tag: v2.7-dev1~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cd43aa1947da89044f4c4d699e07cf4fae8d482;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing

BUG_ON() assertion to check for incomplete SETTINGS frame is incorrect.
It should check if frame length is greater, not smaller, than current
buffer data. Anyway, this BUG_ON() is useless as h3_decode_qcs()
prevents parsing of an incomplete frame, except for H3 DATA. Remove it
to fix this bug.

This bug was introduced in the current dev tree by commit
  commit 62eef85961f4a2a241e0b24ef540cc91f156b842
  MINOR: mux-quic: simplify decode_qcs API
Thus it does not need to be backported.

This fixes crashes which happen with DEBUG_STRICT=2. Most notably, this
is reproducible with clients that emit more than just a SETTINGS frame
on the H3 control stream. It can be reproduced with aioquic for example.
---

diff --git a/src/h3.c b/src/h3.c
index 96c1b0e2d7..9a65ebd751 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -500,9 +500,6 @@ static ssize_t h3_parse_settings_frm(struct h3c *h3c, const struct buffer *buf,
 	/* Work on a copy of <buf>. */
 	b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), b_data(buf));
 
-	/* TODO handle incomplete SETTINGS frame */
-	BUG_ON(len < b_data(&b));
-
 	while (b_data(&b)) {
 		if (!b_quic_dec_int(&id, &b, &ret) || !b_quic_dec_int(&value, &b, &ret)) {
 			h3c->err = H3_FRAME_ERROR;