BUG/MEDIUM: h3: Properly handle PUSH_PROMISE on backend connections

When we receive a PUSH_PROMISE frame while we don't expect it, flag it
as a connection error, do not just set ret to H3_ERR_ID_ERROR, as it
would just be considered the number of bytes we read, and could lead to
random corruption. This should only happen with backend connections.
This should be backported whenever commit 4a8bb2fe5 is backported.

diff --git a/src/h3.c b/src/h3.c
index 071206b7a9ec04324f327b514d8ce9377cb2a277..f3c18bfe34347200611b09e0c1e966e5d0a33cee 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -2074,8 +2074,9 @@ static ssize_t h3_rcv_buf(struct qcs *qcs, struct buffer *b, int fin)
                         * receipt of a PUSH_PROMISE frame that contains a larger push ID than
                         * the client has advertised as a connection error of H3_ID_ERROR.
                         */
-                       ret = H3_ERR_ID_ERROR;
-                       break;
+                       TRACE_ERROR("Received unexpected PUSH_PROMISE frame", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
+                       qcc_set_error(qcs->qcc, H3_ERR_ID_ERROR, 1, muxc_tevt_type_proto_err);
+                       goto err;
                case H3_FT_MAX_PUSH_ID:
                        /* h3_check_frame_valid() must reject on client side. */
                        BUG_ON(conn_is_back(qcs->qcc->conn));