From ad75431b9c7eb739fa05f748098a9a505cf9c868 Mon Sep 17 00:00:00 2001
From: zhanhb <6323014+zhanhb@users.noreply.github.com>
Date: Sat, 27 Sep 2025 23:01:32 +0800
Subject: [PATCH] BUG/MINOR: h3: forbid 'Z' as well in header field names
 checks

The current tests in _h3_handle_hdr() and h3_trailers_to_htx() check
for an interval between 'A' and 'Z' for letters in header field names
that should be forbidden, but mistakenly leave the 'Z' out of the
forbidden range, resulting in it being implicitly valid.

This has no real consequences but should be fixed for the sake of
protocol validity checking.

This must be backported to all relevant versions.
---
 src/h3.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/h3.c b/src/h3.c
index f071748ee..fdad3b068 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -546,7 +546,7 @@ static int _h3_handle_hdr(struct qcs *qcs, const struct http_hdr *hdr)
 
 	for (i = 0; i < istlen(name); ++i) {
 		const char c = istptr(name)[i];
-		if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+		if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
 			TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
 			goto err;
 		}
@@ -1425,7 +1425,7 @@ static ssize_t h3_trailers_to_htx(struct qcs *qcs, const struct buffer *buf,
 
 		for (i = 0; i < list[hdr_idx].n.len; ++i) {
 			const char c = list[hdr_idx].n.ptr[i];
-			if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
+			if ((uint8_t)(c - 'A') <= 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
 				TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
 				h3s->err = H3_ERR_MESSAGE_ERROR;
 				qcc_report_glitch(h3c->qcc, 1);