From: Olivier Houchard <ohouchard@haproxy.com>
Date: Fri, 12 Jun 2026 11:39:07 +0000 (+0200)
Subject: BUG/MEDIUM: h3: Properly handle PUSH_PROMISE on backend connections
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98b1fd4ff9a719f34131fa04cbd93f92c0c362f7;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: Properly handle PUSH_PROMISE on backend connections

When we receive a PUSH_PROMISE frame while we don't expect it, flag it
as a connection error, do not just set ret to H3_ERR_ID_ERROR, as it
would just be considered the number of bytes we read, and could lead to
random corruption. This should only happen with backend connections.
This should be backported whenever commit 4a8bb2fe5 is backported.
---

diff --git a/src/h3.c b/src/h3.c
index 071206b7a..f3c18bfe3 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -2074,8 +2074,9 @@ static ssize_t h3_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
 			 * receipt of a PUSH_PROMISE frame that contains a larger push ID than
 			 * the client has advertised as a connection error of H3_ID_ERROR.
 			 */
-			ret = H3_ERR_ID_ERROR;
-			break;
+			TRACE_ERROR("Received unexpected PUSH_PROMISE frame", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
+			qcc_set_error(qcs->qcc, H3_ERR_ID_ERROR, 1, muxc_tevt_type_proto_err);
+			goto err;
 		case H3_FT_MAX_PUSH_ID:
 			/* h3_check_frame_valid() must reject on client side. */
 			BUG_ON(conn_is_back(qcs->qcc->conn));