From 3d87558f3589c97c809c0c74be7c9fd08293db86 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Mon, 26 Apr 2021 17:46:13 +0200 Subject: [PATCH] BUG/MINOR: mux-h2: Don't encroach on the reserve when decoding headers Since the input buffer is transferred to the stream when it is created, there is no longer control on the request size to be sure the buffer's reserve is still respected. It was automatically performed in h2_rcv_buf() because the caller took care to provide the correct available space in the buffer. The control is still there but it is no longer applied on the request headers. Now, we should take care of the reserve when the headers are decoded, before the stream creation. The test is performed for the request and the response. It is a 2.4-specific bug. No backport is needed. --- src/mux_h2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 950dc9e73..f1749f8d1 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -4736,9 +4736,10 @@ next_frame: else outlen = h2_make_htx_request(list, htx, &msgf, body_len); - if (outlen < 0) { + if (outlen < 0 || htx_free_space(htx) < global.tune.maxrewrite) { /* too large headers? this is a stream error only */ - TRACE_STATE("request headers too large", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR|H2_EV_PROTO_ERR, h2c->conn); + TRACE_STATE("message headers too large", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2S_ERR|H2_EV_PROTO_ERR, h2c->conn); + htx->flags |= HTX_FL_PARSING_ERROR; goto fail; }