BUG/MEDIUM: h3: do not crash on invalid response status code

A crash occurs in h3_resp_headers_send() if an invalid response code is
received from the backend side. Fix this by properly flagging the
connection on error. This will cause a CONNECTION_CLOSE.

This should fix github issue #2422.

Big thanks to ygkim (@yokim-git) for his help and reactivity. Initially,
GDB reported an invalid code source location due to heavy functions
inlining inside h3_snd_buf(). The issue was found after using -Og flag.

This must be backported up to 2.6.

diff --git a/src/h3.c b/src/h3.c
index 90ce3d88ca2e6c826e3042e99d5bc745985be3d9..424ecd83360b979c6bb19cb40e5d0a964ed0afc3 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -1563,8 +1563,11 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx)
                   qcs->qcc->conn, qcs);
        if (qpack_encode_field_section_line(&headers_buf))
                ABORT_NOW();
-       if (qpack_encode_int_status(&headers_buf, status))
-               ABORT_NOW();
+       if (qpack_encode_int_status(&headers_buf, status)) {
+               TRACE_ERROR("invalid status code", H3_EV_TX_FRAME|H3_EV_TX_HDR, qcs->qcc->conn, qcs);
+               h3c->err = H3_INTERNAL_ERROR;
+               goto err;
+       }
 
        for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
                if (isteq(list[hdr].n, ist("")))