From 3a2fcfd58dc180d6dcc3c6b21026aee595582a5d Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 9 Jun 2022 11:54:38 +0200 Subject: [PATCH] BUG/MEDIUM: h3: fix SETTINGS parsing Function used to parse SETTINGS frame is incorrect as it does not stop at the frame length but continue to parse beyond it. In most cases, it will result in a connection closed with error H3_FRAME_ERROR. This bug can be reproduced with clients that sent more than just a SETTINGS frame on the H3 control stream. This is notably the case with aioquic which emit a MAX_PUSH_ID after SETTINGS. This bug has been introduced in the current dev release, by the following patch 62eef85961f4a2a241e0b24ef540cc91f156b842 MINOR: mux-quic: simplify decode_qcs API thus, it does not need to be backported. --- src/h3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/h3.c b/src/h3.c index 9a65ebd751..3dc9facc5b 100644 --- a/src/h3.c +++ b/src/h3.c @@ -498,7 +498,7 @@ static ssize_t h3_parse_settings_frm(struct h3c *h3c, const struct buffer *buf, TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_SETTINGS, h3c->qcc->conn); /* Work on a copy of . */ - b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), b_data(buf)); + b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), len); while (b_data(&b)) { if (!b_quic_dec_int(&id, &b, &ret) || !b_quic_dec_int(&value, &b, &ret)) { -- 2.47.3