|
|
a590c8 |
From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001
|
|
|
a590c8 |
From: Christopher Faulet <cfaulet@haproxy.com>
|
|
|
a590c8 |
Date: Thu, 22 Dec 2022 09:47:01 +0100
|
|
|
a590c8 |
Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream
|
|
|
a590c8 |
flag set
|
|
|
a590c8 |
|
|
|
a590c8 |
As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an
|
|
|
a590c8 |
informational status code is malformed. However, there is no test on this
|
|
|
a590c8 |
condition.
|
|
|
a590c8 |
|
|
|
a590c8 |
On 2.4 and higher, it is hard to predict consequences of this bug because
|
|
|
a590c8 |
end of the message is only reported with a flag. But on 2.2 and lower, it
|
|
|
a590c8 |
leads to a crash because there is an unexpected extra EOM block at the end
|
|
|
a590c8 |
of an interim response.
|
|
|
a590c8 |
|
|
|
a590c8 |
Now, when a ES flag is detected on a HEADERS frame for an interim message, a
|
|
|
a590c8 |
stream error is sent (RST_STREAM/PROTOCOL_ERROR).
|
|
|
a590c8 |
|
|
|
a590c8 |
This patch should solve the issue #1972. It should be backported as far as
|
|
|
a590c8 |
2.0.
|
|
|
a590c8 |
|
|
|
a590c8 |
(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4)
|
|
|
a590c8 |
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
|
a590c8 |
(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59)
|
|
|
a590c8 |
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
|
|
a590c8 |
(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5)
|
|
|
a590c8 |
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
|
|
a590c8 |
(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1)
|
|
|
a590c8 |
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
|
|
a590c8 |
---
|
|
|
a590c8 |
src/mux_h2.c | 5 +++++
|
|
|
a590c8 |
1 file changed, 5 insertions(+)
|
|
|
a590c8 |
|
|
|
a590c8 |
diff --git a/src/mux_h2.c b/src/mux_h2.c
|
|
|
a590c8 |
index 7d23e5abd..7dbbfefec 100644
|
|
|
a590c8 |
--- a/src/mux_h2.c
|
|
|
a590c8 |
+++ b/src/mux_h2.c
|
|
|
a590c8 |
@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
|
|
|
a590c8 |
*flags |= H2_SF_HEADERS_RCVD;
|
|
|
a590c8 |
|
|
|
a590c8 |
if (h2c->dff & H2_F_HEADERS_END_STREAM) {
|
|
|
a590c8 |
+ if (msgf & H2_MSGF_RSP_1XX) {
|
|
|
a590c8 |
+ /* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
|
|
|
a590c8 |
+ TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn);
|
|
|
a590c8 |
+ goto fail;
|
|
|
a590c8 |
+ }
|
|
|
a590c8 |
/* no more data are expected for this message */
|
|
|
a590c8 |
htx->flags |= HTX_FL_EOM;
|
|
|
a590c8 |
}
|
|
|
a590c8 |
--
|
|
|
a590c8 |
2.37.3
|
|
|
a590c8 |
|