From 682f73b4fa6d76aa0b5b743fe92777822884772d Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 13 Dec 2023 15:36:52 +0100 Subject: [PATCH] BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty During HEADERS frames decoding, if a frame is too large to fit in a buffer, an internal error is reported and a RST_STREAM is emitted. On the other hand, we wait to have an empty rxbuf to decode the frame because we cannot retry a failed HPACK decompression. When we are decoding headers, it is valid to return an error if dbuf buffer is full because no data can be blocked in the rxbuf (which hosts the HTX message). However, during the trailers decoding, it is possible to have some data not sent yet for the current stream in the rxbug and data for another stream fully filling the dbuf buffer. In this case, we don't decode the trailers but we must not return an error. We must wait to empty the rxbuf first. Now, a HEADERS frame is considered as too large if the dbuf buffer is full and if the rxbuf is empty (the HTX message to be accurate). This patch should fix the issue #2382. It must be backported to all stable versions. --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index ad7c59f99..ff2d115f7 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -5212,7 +5212,7 @@ static int h2c_dec_hdrs(struct h2c *h2c, struct buffer *rxbuf, uint32_t *flags, b_sub(&h2c->dbuf, hole); } - if (b_full(&h2c->dbuf) && h2c->dfl) { + if (b_full(&h2c->dbuf) && h2c->dfl && (!htx || htx_is_empty(htx))) { /* too large frames */ h2c_error(h2c, H2_ERR_INTERNAL_ERROR); ret = -1;