From f8df9bd6a5057647c2999ace0b27474c7008b421 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 14 Feb 2024 18:23:12 +0100
Subject: [PATCH] BUG/MINOR: qpack: reject invalid dynamic table capacity

Currently haproxy does not implement dynamic table support for QPACK. As
such, dynamic table capacity advertized via H3 SETTINGS is 0. When
receiving a non-null Set Dynamic Table Capacity instruction, close
immediately the connection using QPACK_ENCODER_STREAM_ERROR.

Prior to this patch, such instructions were simply ignored. This is non
conform to QUIC specification.

This should be backported up to 2.6. Note that on 2.6 qcc_set_error()
must be replaced by function qcc_emit_cc_app().
---
 src/qpack-dec.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/qpack-dec.c b/src/qpack-dec.c
index 6a3bf4320..7a8726f2c 100644
--- a/src/qpack-dec.c
+++ b/src/qpack-dec.c
@@ -135,6 +135,19 @@ int qpack_decode_enc(struct buffer *buf, int fin, void *ctx)
 	}
 	else if (inst & QPACK_ENC_INST_SDTC_BIT) {
 		/* Set dynamic table capacity */
+		int capacity = *b_head(buf) & 0x1f;
+
+		/* RFC 9204 4.3.1. Set Dynamic Table Capacity
+		 *
+		 * The decoder MUST treat a new dynamic table capacity
+		 * value that exceeds this limit as a connection error of type
+		 * QPACK_ENCODER_STREAM_ERROR.
+		 */
+		if (capacity) {
+			qcc_set_error(qcs->qcc, QPACK_ENCODER_STREAM_ERROR, 1);
+			return -1;
+		}
+
 	}
 
 	return 0;