haproxy/bz2161140-refuse-response-end-stream-flag.patch

From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 22 Dec 2022 09:47:01 +0100
Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream
 flag set

As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an
informational status code is malformed. However, there is no test on this
condition.

On 2.4 and higher, it is hard to predict consequences of this bug because
end of the message is only reported with a flag. But on 2.2 and lower, it
leads to a crash because there is an unexpected extra EOM block at the end
of an interim response.

Now, when a ES flag is detected on a HEADERS frame for an interim message, a
stream error is sent (RST_STREAM/PROTOCOL_ERROR).

This patch should solve the issue #1972. It should be backported as far as
2.0.

(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/mux_h2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index 7d23e5abd..7dbbfefec 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
 		*flags |= H2_SF_HEADERS_RCVD;
 
 	if (h2c->dff & H2_F_HEADERS_END_STREAM) {
+		if (msgf & H2_MSGF_RSP_1XX) {
+			/* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
+			TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn);
+			goto fail;
+		}
 		/* no more data are expected for this message */
 		htx->flags |= HTX_FL_EOM;
 	}
-- 
2.37.3
Refuse interim responses with end-stream flag set Resolves: #2161140 2023-02-27 17:29:39 +00:00			`From 2c681c6f30fb90adab4701e287ff7a7db669b2e7 Mon Sep 17 00:00:00 2001`
			`From: Christopher Faulet <cfaulet@haproxy.com>`
			`Date: Thu, 22 Dec 2022 09:47:01 +0100`
			`Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream`
			`flag set`

			`As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an`
			`informational status code is malformed. However, there is no test on this`
			`condition.`

			`On 2.4 and higher, it is hard to predict consequences of this bug because`
			`end of the message is only reported with a flag. But on 2.2 and lower, it`
			`leads to a crash because there is an unexpected extra EOM block at the end`
			`of an interim response.`

			`Now, when a ES flag is detected on a HEADERS frame for an interim message, a`
			`stream error is sent (RST_STREAM/PROTOCOL_ERROR).`

			`This patch should solve the issue #1972. It should be backported as far as`
			`2.0.`

			`(cherry picked from commit 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4)`
			`Signed-off-by: Willy Tarreau <w@1wt.eu>`
			`(cherry picked from commit ebfae006c6b5de1d1fe0cdd51847ec1e39d5cf59)`
			`Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>`
			`(cherry picked from commit 84f5cba24f59b1c8339bb38323fcb01f434ba8e5)`
			`Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>`
			`(cherry picked from commit f5748a98c34bc889cae9386ca4f7073ab3f4c6b1)`
			`Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>`
			`---`
			`src/mux_h2.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/src/mux_h2.c b/src/mux_h2.c`
			`index 7d23e5abd..7dbbfefec 100644`
			`--- a/src/mux_h2.c`
			`+++ b/src/mux_h2.c`
			`@@ -4942,6 +4942,11 @@ static int h2c_decode_headers(struct h2c h2c, struct buffer rxbuf, uint32_t *f`
			`*flags \|= H2_SF_HEADERS_RCVD;`

			`if (h2c->dff & H2_F_HEADERS_END_STREAM) {`
			`+ if (msgf & H2_MSGF_RSP_1XX) {`
			`+ /* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */`
			`+ TRACE_STATE("invalid interim response with ES flag!", H2_EV_RX_FRAME\|H2_EV_RX_HDR\|H2_EV_H2C_ERR\|H2_EV_PROTO_ERR, h2c->conn);`
			`+ goto fail;`
			`+ }`
			`/* no more data are expected for this message */`
			`htx->flags \|= HTX_FL_EOM;`
			`}`
			`--`
			`2.37.3`