From: Willy Tarreau <w@1wt.eu>
Date: Thu, 24 Jan 2019 09:47:10 +0000 (+0100)
Subject: BUG/MINOR: hpack: return a compression error on invalid table size updates
X-Git-Tag: v2.0-dev1~166
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e7d444eec69db192d026a542262891b8de89e0c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: hpack: return a compression error on invalid table size updates

RFC7541#6.3 mandates that an error is reported when a dynamic table size
update announces a size larger than the one configured with settings. This
is tested by h2spec using test "hpack/6.3/1".

This must be backported to 1.9 and possibly 1.8 as well.
---

diff --git a/include/common/hpack-tbl.h b/include/common/hpack-tbl.h
index 385f3860bb..2cbc2bf6cd 100644
--- a/include/common/hpack-tbl.h
+++ b/include/common/hpack-tbl.h
@@ -127,6 +127,7 @@ enum {
 	HPACK_ERR_MISSING_AUTHORITY,  /* :authority is missing with CONNECT */
 	HPACK_ERR_SCHEME_NOT_ALLOWED, /* :scheme not allowed with CONNECT */
 	HPACK_ERR_PATH_NOT_ALLOWED,   /* :path not allowed with CONNECT */
+	HPACK_ERR_INVALID_ARGUMENT,   /* an invalid argument was passed */
 };
 
 /* static header table as in RFC7541 Appendix A. [0] unused. */
diff --git a/src/hpack-dec.c b/src/hpack-dec.c
index 148a9a2157..e179f29d58 100644
--- a/src/hpack-dec.c
+++ b/src/hpack-dec.c
@@ -232,6 +232,12 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 				goto leave;
 			}
 			hpack_debug_printf(" new len=%u\n", idx);
+
+			if (idx > dht->size) {
+				hpack_debug_printf("##ERR@%d##\n", __LINE__);
+				ret = -HPACK_ERR_INVALID_ARGUMENT;
+				goto leave;
+			}
 			continue;
 		}
 		else if (!(*raw & (*raw - 0x10))) {