From: Willy Tarreau <w@1wt.eu>
Date: Wed, 5 Sep 2018 16:30:05 +0000 (+0200)
Subject: BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
X-Git-Tag: v1.9-dev2~96
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0d11b6fd5b6cec3af9a70e38895a665a666ae80;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames

While parsing a headers frame, if the frame is wrapped in the buffer
and needs to be unwrapped, it will be duplicated before being processed.
But if it contains certain combinations of invalid flags, the parser
returns without releasing the temporary buffer leading to a memory
leak.

This fix needs to be backported to 1.8.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 1596f376c1..f7e327e079 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2746,7 +2746,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
 		if (h2c->dpl >= flen) {
 			/* RFC7540#6.2 : pad length = length of frame payload or greater */
 			h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-			return 0;
+			goto fail;
 		}
 		flen -= h2c->dpl + 1;
 		hdrs += 1; // skip Pad Length
@@ -2757,7 +2757,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
 		if (read_n32(hdrs) == h2s->id) {
 			/* RFC7540#5.3.1 : stream dep may not depend on itself */
 			h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-			return 0;//goto fail_stream;
+			goto fail;
 		}
 
 		hdrs += 5; // stream dep = 4, weight = 1