From 291ee25696e950fec05d43abcf928e11f0f99fdb Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Mon, 2 May 2022 10:35:39 +0200 Subject: [PATCH] BUG/MINOR: h3: fix parsing of unknown frame type with null length MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit HTTP/3 implementation must ignore unknown frame type to support protocol evolution. Clients can deliberately use unknown type to test that the server is conformant : this principle is called greasing. Quiche client uses greasing on H3 frame type with a zero length frame. This reveals a bug in H3 parsing code which causes the transfer to be interrupted. Fix this by removing the break statement on ret variable. Now the parsing loop is only interrupted if input buffer is empty or the demux is blocked. This should fix http/3 freeze transfers with the quiche client. Thanks to Lucas Pardue from Cloudflare for his report on the bug. Frédéric Lecaille quickly found the source of the problem which helps me to write this patch. --- src/h3.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/h3.c b/src/h3.c index 61ea09a722..8a41f07829 100644 --- a/src/h3.c +++ b/src/h3.c @@ -315,12 +315,11 @@ static int h3_decode_qcs(struct qcs *qcs, int fin, void *ctx) ret = MIN(b_data(rxbuf), flen); } - if (!ret) - break; - - b_del(rxbuf, ret); - BUG_ON(h3s->demux_frame_len < ret); - h3s->demux_frame_len -= ret; + if (ret) { + b_del(rxbuf, ret); + BUG_ON(h3s->demux_frame_len < ret); + h3s->demux_frame_len -= ret; + } } /* TODO may be useful to wakeup the MUX if blocked due to full buffer. -- 2.47.3