From: zhanhb <6323014+zhanhb@users.noreply.github.com>
Date: Sat, 27 Sep 2025 15:01:32 +0000 (+0800)
Subject: BUG/MINOR: h3: forbid 'Z' as well in header field names checks
X-Git-Tag: v3.3-dev9~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad75431b9c7eb739fa05f748098a9a505cf9c868;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h3: forbid 'Z' as well in header field names checks

The current tests in _h3_handle_hdr() and h3_trailers_to_htx() check
for an interval between 'A' and 'Z' for letters in header field names
that should be forbidden, but mistakenly leave the 'Z' out of the
forbidden range, resulting in it being implicitly valid.

This has no real consequences but should be fixed for the sake of
protocol validity checking.

This must be backported to all relevant versions.
---

diff --git a/src/h3.c b/src/h3.c
index f071748ee..fdad3b068 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -546,7 +546,7 @@ static int _h3_handle_hdr(struct qcs *qcs, const struct http_hdr *hdr)
 
 	for (i = 0; i < istlen(name); ++i) {
 		const char c = istptr(name)[i];
-		if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+		if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
 			TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
 			goto err;
 		}
@@ -1425,7 +1425,7 @@ static ssize_t h3_trailers_to_htx(struct qcs *qcs, const struct buffer *buf,
 
 		for (i = 0; i < list[hdr_idx].n.len; ++i) {
 			const char c = list[hdr_idx].n.ptr[i];
-			if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+			if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
 				TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
 				h3s->err = H3_ERR_MESSAGE_ERROR;
 				qcc_report_glitch(h3c->qcc, 1);