From 5d2fe1871a1ec4ec68a8ed262f4526e02e8e9fc1 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 29 Jan 2024 13:47:44 +0100
Subject: [PATCH] BUG/MEDIUM: h3: do not crash on invalid response status code

A crash occurs in h3_resp_headers_send() if an invalid response code is
received from the backend side. Fix this by properly flagging the
connection on error. This will cause a CONNECTION_CLOSE.

This should fix github issue #2422.

Big thanks to ygkim (@yokim-git) for his help and reactivity. Initially,
GDB reported an invalid code source location due to heavy functions
inlining inside h3_snd_buf(). The issue was found after using -Og flag.

This must be backported up to 2.6.
---
 src/h3.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/h3.c b/src/h3.c
index 90ce3d88c..424ecd833 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -1563,8 +1563,11 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx)
 	           qcs->qcc->conn, qcs);
 	if (qpack_encode_field_section_line(&headers_buf))
 		ABORT_NOW();
-	if (qpack_encode_int_status(&headers_buf, status))
-		ABORT_NOW();
+	if (qpack_encode_int_status(&headers_buf, status)) {
+		TRACE_ERROR("invalid status code", H3_EV_TX_FRAME|H3_EV_TX_HDR, qcs->qcc->conn, qcs);
+		h3c->err = H3_INTERNAL_ERROR;
+		goto err;
+	}
 
 	for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
 		if (isteq(list[hdr].n, ist("")))