BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers

If any DATA frame is received before all headers are fully received, a
protocol error must be reported. It is required by the HTTP/2 RFC but it is
also important because the HTTP analyzers expect the first HTX block is a
start-line. It leads to a crash if this statement is not respected.

For instance, it is possible to trigger a crash by sending an interim
message with a DATA frame (It may be an empty DATA frame with the ES
flag). AFAIK, only the server side is affected by this bug.

To fix the issue, an protocol error is reported for the stream.

This patch should fix the issue #2291. It must be backported as far as 2.2
(and probably to 2.0 too).

diff --git a/src/mux_h2.c b/src/mux_h2.c
index cc698b66b2dbe556fa6fd71ab0ec764bd64d8450..6a315092b8b7c709635936c1a14a24af4c723a9b 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2999,6 +2999,13 @@ static int h2c_handle_data(struct h2c *h2c, struct h2s *h2s)
                goto strm_err;
        }
 
+       if (!(h2s->flags & H2_SF_HEADERS_RCVD)) {
+               /* RFC9113#8.1: The header section must be received before the message content */
+               TRACE_ERROR("Unexpected DATA frame before the message headers", H2_EV_RX_FRAME|H2_EV_RX_DATA, h2c->conn, h2s);
+               error = H2_ERR_PROTOCOL_ERROR;
+               HA_ATOMIC_INC(&h2c->px_counters->strm_proto_err);
+               goto strm_err;
+       }
        if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) {
                /* RFC7540#8.1.2 */
                TRACE_ERROR("DATA frame larger than content-length", H2_EV_RX_FRAME|H2_EV_RX_DATA, h2c->conn, h2s);