From: Willy Tarreau Date: Mon, 29 Apr 2019 08:20:21 +0000 (+0200) Subject: BUG/MEDIUM: mux-h2: properly deal with too large headers frames X-Git-Tag: v2.0-dev3~159 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97215ca284fa7127f20248f00919a0d6df5b8819;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h2: properly deal with too large headers frames In h2c_decode_headers(), now that we support CONTINUATION frames, we try to defragment all pending frames at once before processing them. However if the first is exactly full and the second cannot be parsed, we don't detect the problem and we wait for the next part forever due to an incorrect check on exit; we must abort the processing as soon as the current frame remains full after defragmentation as in this case there is no way to make forward progress. Thanks to Yves Lafon for providing traces exhibiting the problem. This must be backported to 1.9. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index a6d89b92d4..55d69a28e0 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3579,7 +3579,7 @@ next_frame: b_sub(&h2c->dbuf, hole); } - if (b_full(&h2c->dbuf) && h2c->dfl > b_data(&h2c->dbuf)) { + if (b_full(&h2c->dbuf) && h2c->dfl >= b_data(&h2c->dbuf)) { /* too large frames */ h2c_error(h2c, H2_ERR_INTERNAL_ERROR); ret = -1;