mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-10 17:17:06 +02:00
Code Issues Projects Releases Wiki Activity

BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used

Browse Source 
Tim Dsterhus reported a possible crash in the H2 HEADERS frame decoder
when the PRIORITY flag is present. A check is missing to ensure the 5
extra bytes needed with this flag are actually part of the frame. As per
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.

Many thanks to Tim for responsibly reporting this issue with a working
config and reproducer. This issue was assigned CVE-2018-20615.

This fix must be backported to 1.9 and 1.8.
This commit is contained in:
Willy Tarreau 2018-12-31 07:41:24 +01:00
parent 202c6ce1a2
commit a01f45e3ce
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/mux_h2.c
View File

@ -3316,6 +3316,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
goto fail; goto fail;
} }
if (flen < 5) {
h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
goto fail;
}
hdrs += 5; // stream dep = 4, weight = 1 hdrs += 5; // stream dep = 4, weight = 1
flen -= 5; flen -= 5;
} }