BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing

BUG_ON() assertion to check for incomplete SETTINGS frame is incorrect.
It should check if frame length is greater, not smaller, than current
buffer data. Anyway, this BUG_ON() is useless as h3_decode_qcs()
prevents parsing of an incomplete frame, except for H3 DATA. Remove it
to fix this bug.

This bug was introduced in the current dev tree by commit
  commit 62eef85961f4a2a241e0b24ef540cc91f156b842
  MINOR: mux-quic: simplify decode_qcs API
Thus it does not need to be backported.

This fixes crashes which happen with DEBUG_STRICT=2. Most notably, this
is reproducible with clients that emit more than just a SETTINGS frame
on the H3 control stream. It can be reproduced with aioquic for example.

diff --git a/src/h3.c b/src/h3.c
index 96c1b0e2d7b01b33061b8db0441edf8333704ccd..9a65ebd7512df433d69c96733780c0ab785af1ee 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -500,9 +500,6 @@ static ssize_t h3_parse_settings_frm(struct h3c *h3c, const struct buffer *buf,
        /* Work on a copy of <buf>. */
        b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), b_data(buf));
 
-       /* TODO handle incomplete SETTINGS frame */
-       BUG_ON(len < b_data(&b));
-
        while (b_data(&b)) {
                if (!b_quic_dec_int(&id, &b, &ret) || !b_quic_dec_int(&value, &b, &ret)) {
                        h3c->err = H3_FRAME_ERROR;