From: Amaury Denoyelle Date: Mon, 8 Nov 2021 08:13:42 +0000 (+0100) Subject: MINOR: h3: fix potential NULL dereference X-Git-Tag: v2.5-dev14~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9ce14e5a26875d64a77ac47341fa13370288863;p=thirdparty%2Fhaproxy.git MINOR: h3: fix potential NULL dereference Fix potential allocation failure of HTX start-line during H3 request decoding. In this case, h3_decode_qcs returns -1 as error code. This addresses in part github issue #1445. --- diff --git a/src/h3.c b/src/h3.c index afcefef599..20f202c2e7 100644 --- a/src/h3.c +++ b/src/h3.c @@ -93,7 +93,9 @@ static inline size_t h3_decode_frm_header(uint64_t *ftype, uint64_t *flen, return hlen; } -/* Decode remotely initiated bidi-stream */ +/* Decode remotely initiated bidi-stream. + * Returns <0 on error else 0. + */ static int h3_decode_qcs(struct qcs *qcs, void *ctx) { struct buffer *rxbuf = &qcs->rx.buf; @@ -171,6 +173,8 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx) flags |= HTX_SL_F_VER_11; sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0")); + if (!sl) + goto fail; sl->flags |= HTX_SL_F_BODYLESS; sl->info.req.meth = find_http_meth(meth.ptr, meth.len); BUG_ON(sl->info.req.meth == HTTP_METH_OTHER); @@ -215,7 +219,10 @@ static int h3_decode_qcs(struct qcs *qcs, void *ctx) b_del(rxbuf, flen); } - return 1; + return 0; + + fail: + return -1; } /* Parse a SETTINGS frame which must not be truncated with as length from diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 9dec844e5b..09722c063a 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -1828,7 +1828,7 @@ static int qc_handle_bidi_strm_frm(struct quic_rx_packet *pkt, goto store_frm; ret = qc_strm_cpy(&strm->rx.buf, strm_frm); - if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) == -1) { + if (ret && qc->qcc->app_ops->decode_qcs(strm, qc->qcc->ctx) < 0) { TRACE_PROTO("Decoding error", QUIC_EV_CONN_PSTRM); return 0; }