From 4f09ec812adbd9336cddc054660a7fb5cd54b459 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 19 Jun 2019 09:25:58 +0200 Subject: [PATCH] BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked When a DATA frame is processed for a message with a content-length, we first take care to not have a frame size that exceeds the remaining to read. Otherwise, an error is triggered. But we must remove the padding length from the frame size because the padding is not included in the announced content-length. This patch must be backported to 2.0 and 1.9. --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index c06d5d68e..5bb851819 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2177,7 +2177,7 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s) goto strm_err; } - if ((h2s->flags & H2_SF_DATA_CLEN) && h2c->dfl > h2s->body_len) { + if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) { /* RFC7540#8.1.2 */ error = H2_ERR_PROTOCOL_ERROR; goto strm_err;