From: Christopher Faulet Date: Wed, 13 Sep 2023 14:21:58 +0000 (+0200) Subject: BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers X-Git-Tag: v2.9-dev6~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89e20033c78b7d93f0b75f91d61fa78eef67440d;p=thirdparty%2Fhaproxy.git BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers If any DATA frame is received before all headers are fully received, a protocol error must be reported. It is required by the HTTP/2 RFC but it is also important because the HTTP analyzers expect the first HTX block is a start-line. It leads to a crash if this statement is not respected. For instance, it is possible to trigger a crash by sending an interim message with a DATA frame (It may be an empty DATA frame with the ES flag). AFAIK, only the server side is affected by this bug. To fix the issue, an protocol error is reported for the stream. This patch should fix the issue #2291. It must be backported as far as 2.2 (and probably to 2.0 too). --- diff --git a/src/mux_h2.c b/src/mux_h2.c index cc698b66b2..6a315092b8 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2999,6 +2999,13 @@ static int h2c_handle_data(struct h2c *h2c, struct h2s *h2s) goto strm_err; } + if (!(h2s->flags & H2_SF_HEADERS_RCVD)) { + /* RFC9113#8.1: The header section must be received before the message content */ + TRACE_ERROR("Unexpected DATA frame before the message headers", H2_EV_RX_FRAME|H2_EV_RX_DATA, h2c->conn, h2s); + error = H2_ERR_PROTOCOL_ERROR; + HA_ATOMIC_INC(&h2c->px_counters->strm_proto_err); + goto strm_err; + } if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) { /* RFC7540#8.1.2 */ TRACE_ERROR("DATA frame larger than content-length", H2_EV_RX_FRAME|H2_EV_RX_DATA, h2c->conn, h2s);