From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 26 Jan 2023 16:41:58 +0000 (+0100)
Subject: BUG/MEDIUM: h3: do not crash if no buf space for trailers
X-Git-Tag: v2.8-dev3~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=224ba5cffe6d1e2e1be5968dfc4ad7199f3d5d92;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: do not crash if no buf space for trailers

Replace ABORT_NOW() by proper error management in
h3_resp_trailers_send() for QPACK encoding operation.

If a QPACK encoding operation fails, it means there is not enough space
in qcs buffer. In this case, flag qcs instance with QC_SF_BLK_MROOM and
return an error. MUX is responsible to remove this flag once buffer
space is available.

This should fix the crash reported by gabrieltz on github issue #2006.

This must be backported up to 2.7.
---

diff --git a/src/h3.c b/src/h3.c
index 7f0dc476b6..cbb7540036 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -1393,8 +1393,10 @@ static int h3_resp_trailers_send(struct qcs *qcs, struct htx *htx)
 	/* Start the headers after frame type + length */
 	headers_buf = b_make(b_peek(res, b_data(res) + 9), b_contig_space(res) - 9, 0, 0);
 
-	if (qpack_encode_field_section_line(&headers_buf))
-		ABORT_NOW();
+	if (qpack_encode_field_section_line(&headers_buf)) {
+		qcs->flags |= QC_SF_BLK_MROOM;
+		goto err;
+	}
 
 	tail = b_tail(&headers_buf);
 	for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
@@ -1412,8 +1414,10 @@ static int h3_resp_trailers_send(struct qcs *qcs, struct htx *htx)
 			continue;
 		}
 
-		if (qpack_encode_header(&headers_buf, list[hdr].n, list[hdr].v))
-			ABORT_NOW();
+		if (qpack_encode_header(&headers_buf, list[hdr].n, list[hdr].v)) {
+			qcs->flags |= QC_SF_BLK_MROOM;
+			goto err;
+		}
 	}
 
 	/* Now that all headers are encoded, we are certain that res buffer is