From 1cd43aa1947da89044f4c4d699e07cf4fae8d482 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 8 Jun 2022 18:21:32 +0200
Subject: [PATCH] BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS
 parsing

BUG_ON() assertion to check for incomplete SETTINGS frame is incorrect.
It should check if frame length is greater, not smaller, than current
buffer data. Anyway, this BUG_ON() is useless as h3_decode_qcs()
prevents parsing of an incomplete frame, except for H3 DATA. Remove it
to fix this bug.

This bug was introduced in the current dev tree by commit
  commit 62eef85961f4a2a241e0b24ef540cc91f156b842
  MINOR: mux-quic: simplify decode_qcs API
Thus it does not need to be backported.

This fixes crashes which happen with DEBUG_STRICT=2. Most notably, this
is reproducible with clients that emit more than just a SETTINGS frame
on the H3 control stream. It can be reproduced with aioquic for example.
---
 src/h3.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/h3.c b/src/h3.c
index 96c1b0e2d..9a65ebd75 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -500,9 +500,6 @@ static ssize_t h3_parse_settings_frm(struct h3c *h3c, const struct buffer *buf,
 	/* Work on a copy of <buf>. */
 	b = b_make(b_orig(buf), b_size(buf), b_head_ofs(buf), b_data(buf));
 
-	/* TODO handle incomplete SETTINGS frame */
-	BUG_ON(len < b_data(&b));
-
 	while (b_data(&b)) {
 		if (!b_quic_dec_int(&id, &b, &ret) || !b_quic_dec_int(&value, &b, &ret)) {
 			h3c->err = H3_FRAME_ERROR;