From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 11:00:36 +0000 (+0100)
Subject: BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits
X-Git-Tag: v1.9-dev1~627
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4235d182143369d608c436f83004ce931ebb3635;p=thirdparty%2Fhaproxy.git

BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits

h2spec reported that we didn't check that no more than 7 bits of padding
were left after decoding an huffman-encoded literal. This is harmless but
better fix it now.

To backport to 1.8.
---

diff --git a/src/hpack-huff.c b/src/hpack-huff.c
index 23aa5419b0..cbf1fa0217 100644
--- a/src/hpack-huff.c
+++ b/src/hpack-huff.c
@@ -1518,8 +1518,12 @@ int huff_dec(const uint8_t *huff, int hlen, char *out, int olen)
 
 	if (bleft > 0) {
 		/* some bits were not consumed after the last code, they must
-		 * match EOS (ie: all ones).
+		 * match EOS (ie: all ones) and there must be 7 bits or less.
+		 * (7541#5.2).
 		 */
+		if (bleft > 7)
+			return -1;
+
 		if ((code & -(1 << (32 - bleft))) != (uint32_t)-(1 << (32 - bleft)))
 			return -1;
 	}