From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 29 Jan 2024 12:47:44 +0000 (+0100)
Subject: BUG/MEDIUM: h3: do not crash on invalid response status code
X-Git-Tag: v3.0-dev3~146
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d2fe1871a1ec4ec68a8ed262f4526e02e8e9fc1;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: do not crash on invalid response status code

A crash occurs in h3_resp_headers_send() if an invalid response code is
received from the backend side. Fix this by properly flagging the
connection on error. This will cause a CONNECTION_CLOSE.

This should fix github issue #2422.

Big thanks to ygkim (@yokim-git) for his help and reactivity. Initially,
GDB reported an invalid code source location due to heavy functions
inlining inside h3_snd_buf(). The issue was found after using -Og flag.

This must be backported up to 2.6.
---

diff --git a/src/h3.c b/src/h3.c
index 90ce3d88ca..424ecd8336 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -1563,8 +1563,11 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx)
 	           qcs->qcc->conn, qcs);
 	if (qpack_encode_field_section_line(&headers_buf))
 		ABORT_NOW();
-	if (qpack_encode_int_status(&headers_buf, status))
-		ABORT_NOW();
+	if (qpack_encode_int_status(&headers_buf, status)) {
+		TRACE_ERROR("invalid status code", H3_EV_TX_FRAME|H3_EV_TX_HDR, qcs->qcc->conn, qcs);
+		h3c->err = H3_INTERNAL_ERROR;
+		goto err;
+	}
 
 	for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
 		if (isteq(list[hdr].n, ist("")))