From: Willy Tarreau Date: Sat, 30 Dec 2017 15:56:28 +0000 (+0100) Subject: BUG/MAJOR: hpack: don't return direct references to the dynamic headers table X-Git-Tag: v1.9-dev1~537 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb39b4945b5264f5e21414ceb52df2e16fa9a953;p=thirdparty%2Fhaproxy.git BUG/MAJOR: hpack: don't return direct references to the dynamic headers table Maximilian Böhm and Lucas Rolff both reported some random failed requests with HTTP/2. Upon deep investigation on detailed traces provided by Lucas, it turned out that some header names were occasionally corrupted and used to point to random strings within the dynamic headers table. The HPACK decoder must always return copies of header names that point to the dynamic headers table. Otherwise, the insertion of a header after the current one leading to a reorganization of the table will change the data the pointer designates. Unfortunately, one such copy was missing for indexed names, leading to random request failures due to invalid header names. Many thanks to Lucas who ran a large number of tests with full traces helping to capture a reproduceable sequence exhibiting this issue. This patch must be backported to 1.8. --- diff --git a/src/hpack-dec.c b/src/hpack-dec.c index 454f55cb73..dfbcaff277 100644 --- a/src/hpack-dec.c +++ b/src/hpack-dec.c @@ -365,8 +365,13 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len, if (!must_index) name.len = hpack_idx_to_phdr(idx); - if (!name.len) - name = hpack_idx_to_name(dht, idx); + if (!name.len) { + name = hpack_alloc_string(tmp, idx, hpack_idx_to_name(dht, idx)); + if (!name.ptr) { + ret = -HPACK_ERR_TOO_LARGE; + goto leave; + } + } /* and are correctly filled here */ }