From: Willy Tarreau Date: Sat, 23 May 2026 17:42:43 +0000 (+0200) Subject: BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep X-Git-Tag: v3.4-dev14~51 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=8e1d33a6481a2e301512c3d3deb7467ade432ebf;p=thirdparty%2Fhaproxy.git BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep When the PRIORITY flag is present on a HEADERS frame, the frame must contain a stream dependency and a weight, for a total of 5 bytes. The length is checked after reading the stream dep field so theoretically such a frame could cause up to 4-byte OOB read at the end of the buffer, though in practice buffers allocated from pools never end on a page boundary (one extra word at the end) and the anomaly is still detected after reading the stream ID and the connection aborted with the glitch count incremented. Thus while not technically correct, practically speaking it's harmless. This should be backported to all stable releases. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index 8a54e3a0c..7546e04a6 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -6236,6 +6236,13 @@ next_frame: /* Skip StreamDep and weight for now (we don't support PRIORITY) */ if (h2c->dff & H2_F_HEADERS_PRIORITY) { + if (flen < 5) { + h2c_report_glitch(h2c, 1, "too short PRIORITY frame"); + TRACE_STATE("too short PRIORITY frame", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); + h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); + goto fail; + } + if (read_n32(hdrs) == h2c->dsi) { /* RFC7540#5.3.1 : stream dep may not depend on itself */ h2c_report_glitch(h2c, 1, "PRIORITY frame referencing itself"); @@ -6245,13 +6252,6 @@ next_frame: goto fail; } - if (flen < 5) { - h2c_report_glitch(h2c, 1, "too short PRIORITY frame"); - TRACE_STATE("too short PRIORITY frame", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); - h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); - goto fail; - } - hdrs += 5; // stream dep = 4, weight = 1 flen -= 5; }