From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 9 Jun 2022 09:54:38 +0000 (+0200)
Subject: BUG/MEDIUM: h3: fix SETTINGS parsing
X-Git-Tag: v2.7-dev1~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a2fcfd58dc180d6dcc3c6b21026aee595582a5d;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: fix SETTINGS parsing

Function used to parse SETTINGS frame is incorrect as it does not stop
at the frame length but continue to parse beyond it. In most cases, it
will result in a connection closed with error H3_FRAME_ERROR.

This bug can be reproduced with clients that sent more than just a
SETTINGS frame on the H3 control stream. This is notably the case with
aioquic which emit a MAX_PUSH_ID after SETTINGS.

This bug has been introduced in the current dev release, by the
following patch
  62eef85961f4a2a241e0b24ef540cc91f156b842
  MINOR: mux-quic: simplify decode_qcs API
thus, it does not need to be backported.
---

diff --git a/src/h3.c b/src/h3.c
index 9a65ebd751..3dc9facc5b 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -498,7 +498,7 @@ static ssize_t h3_parse_settings_frm(struct h3c *h3c, const struct buffer *buf,
 	TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_SETTINGS, h3c->qcc->conn);
 
 	/* Work on a copy of <buf>. */
-	b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), b_data(buf));
+	b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), len);
 
 	while (b_data(&b)) {
 		if (!b_quic_dec_int(&id, &b, &ret) || !b_quic_dec_int(&value, &b, &ret)) {