From: Frederic Lecaille Date: Wed, 27 May 2026 14:40:52 +0000 (+0200) Subject: BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx() X-Git-Tag: v3.4.0~81 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e2d2f67666bb47ba0441257966b7f0ae03fc2f98;p=thirdparty%2Fhaproxy.git BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx() The sign bit of the Delta Base integer encoding was extracted using mask 0x8 (bit 3) instead of 0x80 (bit 7). This was likely a copy-paste error from other QPACK instructions using 3-bit varints. According to RFC 9204 Section 5.2.1, for prefix instructions, the sign bit 'S' is the most significant bit (bit 7) of the first byte, followed by a 7-bit varint. This fix is harmless for current HTTP/3 traffic: per RFC 9204, the Delta Base calculation is strictly used for dynamic table entry references. Since HAProxy's QPACK dynamic table is currently disabled and the extracted sign bit is not yet used in the decoding logic (only in debug prints), this code path has no impact on production for now. Must be backported to all versions. --- diff --git a/src/qpack-dec.c b/src/qpack-dec.c index 886a7f34b..06642b5ea 100644 --- a/src/qpack-dec.c +++ b/src/qpack-dec.c @@ -239,7 +239,7 @@ static int qpack_decode_fs_pfx(uint64_t *enc_ric, uint64_t *db, int *sign_bit, return -QPACK_RET_TRUNCATED; /* Safe access to the sign bit thanks to the check above */ - *sign_bit = **raw & 0x8; + *sign_bit = **raw & 0x80; *db = qpack_get_varint(raw, len, 7); if (*len == (uint64_t)-1) return -QPACK_RET_DB;