From 0963070d4f5114a56ab9c71274f8d4c9e341412d Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed, 22 Apr 2026 18:52:35 +0200
Subject: [PATCH] BUG/MINOR: h2: Don't look at the exclusive bit for PRIORITY
 frame

When receiving a PRIORITY frame, when checking if the stream id provided
is ours, ignore bit 31, as it is the exclusive bit, and not part of the
stream id, whoever sends a PRIORITY frame with its own id and the
exclusive bit set will not be considered an error, as it should per the
RFC.

The impact is basically non-existent since we don't use PRIORITY frames,
it's only that we would ignore such an invalid frame instead of breaking
the connection.

The bug was introduced in 1.9 with commit 92153fccd3 ("BUG/MINOR: h2:
properly check PRIORITY frames") so the fix must be backported to all
versions.
---
 src/mux_h2.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index ba12a543d..ab15221e3 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3432,7 +3432,11 @@ static int h2c_handle_priority(struct h2c *h2c)
 		return 0;
 	}
 
-	if (h2_get_n32(&h2c->dbuf, 0) == h2c->dsi) {
+	/*
+	 * Bit 31 is the "exclusive" bit, it is not part of the stream id,
+	 * so ignore it when checking if the stream id is ours.
+	 */
+	if ((h2_get_n32(&h2c->dbuf, 0) & 0x7fffffff) == h2c->dsi) {
 		/* 7540#5.3 : can't depend on itself */
 		h2c_report_glitch(h2c, 1, "PRIORITY depends on itself");
 		TRACE_ERROR("PRIORITY depends on itself", H2_EV_RX_FRAME|H2_EV_RX_WU, h2c->conn);