Fix an off-by-one mistake introduced in 76ae3635

We could still trigger the integer underflow condition in #2349 by supplying a padding length equal to the frame size.

Fix an off-by-one mistake introduced in 76ae3635
We could still trigger the integer underflow condition in #2349 by supplying a padding length equal to the frame size.
bea0e671 · Dag Haavi Finstad · 9dfcbe33 · bea0e671 · bea0e671
Commit bea0e671 authored Aug 11, 2017 by Dag Haavi Finstad
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 2 deletions

cache_http2_proto.c bin/varnishd/http2/cache_http2_proto.c +1 -1

t02003.vtc bin/varnishtest/tests/t02003.vtc +18 -1

No files found.
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -578,7 +578,7 @@ h2_rx_headers(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 	p = h2->rxf_data;
 	l = h2->rxf_len;
 	if (h2->rxf_flags & H2FF_HEADERS_PADDED) {
-		if (*p > l)
+		if (*p + 1 > l)
 			return (H2CE_PROTOCOL_ERROR);	// rfc7540,l,1884,1887
 		l -= 1 + *p;
 		p += 1;

--- a/bin/varnishtest/tests/t02003.vtc
+++ b/bin/varnishtest/tests/t02003.vtc
@@ -387,7 +387,24 @@ client c1 {
 	expect_close
 } -run

-#2349: Integer underrun may also occur when the padding flag is set
+#2349: Padding equal to frame size
+client c1 {
+	stream 1 {
+		sendhex 000001
+		sendhex 01
+		sendhex 09
+		sendhex 00000001
+		sendhex 01
+	} -run
+	stream 0 {
+		rxgoaway
+		expect goaway.err == PROTOCOL_ERROR
+		expect goaway.laststream == 1
+	} -run
+	expect_close
+} -run
+
+#2349: Integer underrun may also occur when the priority flag is set
 client c1 {
 	stream 1 {
 		sendhex 000004