From 5112a603d9507cac84ae544863251e814e5eb8d8 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 26 Sep 2019 16:38:28 +0200
Subject: [PATCH] BUG/MAJOR: mux_h2: Don't consume more payload than received
 for skipped frames

When a frame is received for a unknown or already closed stream, it must be
skipped. This also happens when a stream error is reported. But we must be sure
to only skip received data. In the loop in h2_process_demux(), when such frames
are handled, all the frame lenght is systematically skipped. If the frame
payload is partially received, it leaves the demux buffer in an undefined
state. Because of this bug, all sort of errors may be observed, like crash or
intermittent freeze.

This patch must be backported to 2.0, 1.9 and 1.8.
---
 src/mux_h2.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index b59c7fa63f..41c41deb01 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3103,10 +3103,15 @@ static void h2_process_demux(struct h2c *h2c)
 		}
 
 		if (h2c->st0 != H2_CS_FRAME_H) {
-			b_del(&h2c->dbuf, h2c->dfl);
-			h2c->dsi = -1;
-			TRACE_STATE("switching to FRAME_H", H2_EV_RX_FRAME|H2_EV_RX_FHDR, h2c->conn);
-			h2c->st0 = H2_CS_FRAME_H;
+			TRACE_DEVEL("stream error, skip frame payload", H2_EV_RX_FRAME, h2c->conn, h2s);
+			ret = MIN(b_data(&h2c->dbuf), h2c->dfl);
+			b_del(&h2c->dbuf, ret);
+			h2c->dfl -= ret;
+			if (!h2c->dfl) {
+				TRACE_STATE("switching to FRAME_H", H2_EV_RX_FRAME|H2_EV_RX_FHDR, h2c->conn);
+				h2c->st0 = H2_CS_FRAME_H;
+				h2c->dsi = -1;
+			}
 		}
 	}
 
-- 
2.39.5