From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 19 Jun 2019 07:25:58 +0000 (+0200)
Subject: BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked
X-Git-Tag: v2.1-dev1~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f09ec812adbd9336cddc054660a7fb5cd54b459;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked

When a DATA frame is processed for a message with a content-length, we first
take care to not have a frame size that exceeds the remaining to
read. Otherwise, an error is triggered. But we must remove the padding length
from the frame size because the padding is not included in the announced
content-length.

This patch must be backported to 2.0 and 1.9.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index c06d5d68ed..5bb851819d 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2177,7 +2177,7 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s)
 		goto strm_err;
 	}
 
-	if ((h2s->flags & H2_SF_DATA_CLEN) && h2c->dfl > h2s->body_len) {
+	if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) {
 		/* RFC7540#8.1.2 */
 		error = H2_ERR_PROTOCOL_ERROR;
 		goto strm_err;