From c611e6681b6ed4194b2e9ad0b096c275ab5c4012 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 18:09:21 +0100
Subject: [PATCH] BUG/MINOR: hpack: dynamic table size updates are only allowed
 before headers

h2spec reports that we used to support a dynamic table size update
anywhere in the header block but it's only allowed before other
headers (cf RFC7541#4.2.1). In practice we don't use these for now
since we only use literals in responses.

To backport to 1.8.
---
 src/hpack-dec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/hpack-dec.c b/src/hpack-dec.c
index 0515d011b..454f55cb7 100644
--- a/src/hpack-dec.c
+++ b/src/hpack-dec.c
@@ -202,6 +202,12 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
 		}
 		else if (*raw >= 0x20 && *raw <= 0x3f) {
 			/* max dyn table size change */
+			if (ret) {
+				/* 7541#4.2.1 : DHT size update must only be at the beginning */
+				ret = -HPACK_ERR_TOO_LARGE;
+				goto leave;
+			}
+
 			idx = get_var_int(&raw, &len, 5);
 			if (len == (uint32_t)-1) { // truncated
 				ret = -HPACK_ERR_TRUNCATED;