From bd71212ea9900d1dc7c5aefe62df44c023520a38 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 14 Feb 2024 16:59:24 +0100 Subject: [PATCH] BUG/MINOR: qpack: reject invalid increment count decoding Close the connection using QPACK_DECODER_STREAM_ERROR when receiving an invalid insert count increment. As haproxy does not use dynamic table, this instruction must never be emitted by the peer. Prior to this patch, haproxy silently ignored such instruction which is not conform to the QUIC specification. This should be backported up to 2.6. Note that on 2.6 qcc_set_error() must be replaced by function qcc_emit_cc_app(). --- src/qpack-dec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/qpack-dec.c b/src/qpack-dec.c index 97392bbc3e..6a3bf43204 100644 --- a/src/qpack-dec.c +++ b/src/qpack-dec.c @@ -173,6 +173,18 @@ int qpack_decode_dec(struct buffer *buf, int fin, void *ctx) inst = (unsigned char)*b_head(buf) & QPACK_DEC_INST_BITMASK; if (inst == QPACK_DEC_INST_ICINC) { /* Insert count increment */ + + /* RFC 9204 4.4.3. Insert Count Increment + * + * An encoder that receives an Increment field equal to zero, or one + * that increases the Known Received Count beyond what the encoder has + * sent, MUST treat this as a connection error of type + * QPACK_DECODER_STREAM_ERROR. + */ + + /* For the moment haproxy does not emit dynamic table insertion. */ + qcc_set_error(qcs->qcc, QPACK_DECODER_STREAM_ERROR, 1); + return -1; } else if (inst & QPACK_DEC_INST_SACK) { /* Section Acknowledgment */ -- 2.47.3