mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames

Browse Source 
While parsing a headers frame, if the frame is wrapped in the buffer
and needs to be unwrapped, it will be duplicated before being processed.
But if it contains certain combinations of invalid flags, the parser
returns without releasing the temporary buffer leading to a memory
leak.

This fix needs to be backported to 1.8.
This commit is contained in:
Willy Tarreau 2018-09-05 18:30:05 +02:00
parent 590a0514f2
commit a0d11b6fd5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/mux_h2.c
View File

@ -2746,7 +2746,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
if (h2c->dpl >= flen) { if (h2c->dpl >= flen) {
/* RFC7540#6.2 : pad length = length of frame payload or greater */ /* RFC7540#6.2 : pad length = length of frame payload or greater */
h2c_error(h2c, H2_ERR_PROTOCOL_ERROR); h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
return 0; goto fail;
} }
flen -= h2c->dpl + 1; flen -= h2c->dpl + 1;
hdrs += 1; // skip Pad Length hdrs += 1; // skip Pad Length
@ -2757,7 +2757,7 @@ static int h2_frt_decode_headers(struct h2s *h2s)
if (read_n32(hdrs) == h2s->id) { if (read_n32(hdrs) == h2s->id) {
/* RFC7540#5.3.1 : stream dep may not depend on itself */ /* RFC7540#5.3.1 : stream dep may not depend on itself */
h2c_error(h2c, H2_ERR_PROTOCOL_ERROR); h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
return 0;//goto fail_stream; goto fail;
} }
hdrs += 5; // stream dep = 4, weight = 1 hdrs += 5; // stream dep = 4, weight = 1