BUG/MEDIUM: h3: reject client push stream

HTTP/3 push streams can only be opened by a server instance. The
specification mandates that the connection must be closed if a server
receives a client-initiated push stream.

This patch should ensure that it is not possible to exploit
unidirectional streams for an unexpected usage.

This must be backported up to 2.6.

diff --git a/src/h3.c b/src/h3.c
index bd91d7ec9ac45427bfd324b09a1a2c85aa047140..6210f2c16ccfc2daa00d4167e3fd68d4a6b4b2fa 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -212,6 +212,19 @@ static ssize_t h3_init_uni_stream(struct h3c *h3c, struct qcs *qcs,
                break;
 
        case H3_UNI_S_T_PUSH:
+               if (!conn_is_back(qcs->qcc->conn)) {
+                       /* RFC 9114 6.2.2. Push Streams
+                        *
+                        * Only servers can push; if a server receives a client-initiated push
+                        * stream, this MUST be treated as a connection error of type
+                        * H3_STREAM_CREATION_ERROR.
+                        */
+                       TRACE_ERROR("reject push from client", H3_EV_H3S_NEW, qcs->qcc->conn, qcs);
+                       qcc_set_error(qcs->qcc, H3_ERR_STREAM_CREATION_ERROR, 1,
+                                     muxc_tevt_type_proto_err);
+                       qcc_report_glitch(qcs->qcc, 1);
+                       goto err;
+               }
                /* TODO not supported for the moment */
                h3s->type = H3S_T_PUSH;
                break;