BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked

When a DATA frame is processed for a message with a content-length, we first
take care to not have a frame size that exceeds the remaining to
read. Otherwise, an error is triggered. But we must remove the padding length
from the frame size because the padding is not included in the announced
content-length.

This patch must be backported to 2.0 and 1.9.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index c06d5d68eddf680c7115be257bff139e7c3c18b0..5bb851819d29bebcf499939e672e494774ebe687 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2177,7 +2177,7 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s)
                goto strm_err;
        }
 
-       if ((h2s->flags & H2_SF_DATA_CLEN) && h2c->dfl > h2s->body_len) {
+       if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) {
                /* RFC7540#8.1.2 */
                error = H2_ERR_PROTOCOL_ERROR;
                goto strm_err;