[master] bea0e67 Fix an off-by-one mistake introduced in 76ae363534
Dag Haavi Finstad
daghf at varnish-software.com
Fri Aug 11 11:20:16 CEST 2017
commit bea0e671417df655a9b510c9da2c5d68f2f833df
Author: Dag Haavi Finstad <daghf at varnish-software.com>
Date: Fri Aug 11 11:00:23 2017 +0200
Fix an off-by-one mistake introduced in 76ae363534
We could still trigger the integer underflow condition in #2349 by
supplying a padding length equal to the frame size.
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index a2892d9..40a5a9b 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -578,7 +578,7 @@ h2_rx_headers(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
p = h2->rxf_data;
l = h2->rxf_len;
if (h2->rxf_flags & H2FF_HEADERS_PADDED) {
- if (*p > l)
+ if (*p + 1 > l)
return (H2CE_PROTOCOL_ERROR); // rfc7540,l,1884,1887
l -= 1 + *p;
p += 1;
diff --git a/bin/varnishtest/tests/t02003.vtc b/bin/varnishtest/tests/t02003.vtc
index 20b5f3c..b355fd4 100644
--- a/bin/varnishtest/tests/t02003.vtc
+++ b/bin/varnishtest/tests/t02003.vtc
@@ -387,7 +387,24 @@ client c1 {
expect_close
} -run
-#2349: Integer underrun may also occur when the padding flag is set
+#2349: Padding equal to frame size
+client c1 {
+ stream 1 {
+ sendhex 000001
+ sendhex 01
+ sendhex 09
+ sendhex 00000001
+ sendhex 01
+ } -run
+ stream 0 {
+ rxgoaway
+ expect goaway.err == PROTOCOL_ERROR
+ expect goaway.laststream == 1
+ } -run
+ expect_close
+} -run
+
+#2349: Integer underrun may also occur when the priority flag is set
client c1 {
stream 1 {
sendhex 000004
More information about the varnish-commit
mailing list