From 7163d9180cb319db087221a683c0f2d02ffbf0be Mon Sep 17 00:00:00 2001
From: zhanhb <6323014+zhanhb@users.noreply.github.com>
Date: Sat, 27 Sep 2025 23:01:32 +0800
Subject: [PATCH] BUG/MINOR: h2: forbid 'Z' as well in header field names
 checks

The current tests in h2_make_htx_request(), h2_make_htx_response()
and h2_make_htx_trailers() check for an interval between 'A' and 'Z'
for letters in header field names that should be forbidden, but
mistakenly leave the 'Z' out of the forbidden range, resulting in it
being implicitly valid.

This has no real consequences but should be fixed for the sake of
protocol validity checking.

This must be backported to all relevant versions.
---
 src/h2.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/h2.c b/src/h2.c
index 491f62323..9cc006ea9 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -349,7 +349,7 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 			phdr = h2_str_to_phdr(list[idx].n);
 
 			for (i = !!phdr; i < list[idx].n.len; i++)
-				if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+				if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
 					goto fail;
 		}
 
@@ -665,7 +665,7 @@ int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *m
 			phdr = h2_str_to_phdr(list[idx].n);
 
 			for (i = !!phdr; i < list[idx].n.len; i++)
-				if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+				if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
 					goto fail;
 		}
 
@@ -828,7 +828,7 @@ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx)
 		 * also catches pseudo-headers which are forbidden in trailers.
 		 */
 		for (i = 0; i < list[idx].n.len; i++)
-			if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
+			if ((uint8_t)(list[idx].n.ptr[i] - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i]))
 				goto fail;
 
 		/* these ones are forbidden in trailers (RFC7540#8.1.2.2) */
-- 
2.47.3