mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MAJOR: hpack: don't return direct references to the dynamic headers table

Browse Source 
Maximilian Bhm and Lucas Rolff both reported some random failed requests
with HTTP/2. Upon deep investigation on detailed traces provided by Lucas,
it turned out that some header names were occasionally corrupted and used
to point to random strings within the dynamic headers table.

The HPACK decoder must always return copies of header names that point
to the dynamic headers table. Otherwise, the insertion of a header after
the current one leading to a reorganization of the table will change the
data the pointer designates. Unfortunately, one such copy was missing for
indexed names, leading to random request failures due to invalid header
names.

Many thanks to Lucas who ran a large number of tests with full traces
helping to capture a reproduceable sequence exhibiting this issue.

This patch must be backported to 1.8.
This commit is contained in:
Willy Tarreau 2017-12-30 16:56:28 +01:00
parent ff47b3f41d
commit bb39b4945b
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/hpack-dec.c
View File

@ -365,8 +365,13 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
if (!must_index)
name.len = hpack_idx_to_phdr(idx);
if (!name.len)
name = hpack_idx_to_name(dht, idx);
if (!name.len) {
name = hpack_alloc_string(tmp, idx, hpack_idx_to_name(dht, idx));
if (!name.ptr) {
ret = -HPACK_ERR_TOO_LARGE;
goto leave;
}
}
/* <name> and <value> are correctly filled here */
}