From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 31 Dec 2018 07:41:24 +0100 Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used MIME-Version: 1.0 Content-Type: text/plain; charset=latin1 Content-Transfer-Encoding: 8bit Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder when the PRIORITY flag is present. A check is missing to ensure the 5 extra bytes needed with this flag are actually part of the frame. As per RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR. Many thanks to Tim for responsibly reporting this issue with a working config and reproducer. This issue was assigned CVE-2018-20615. This fix must be backported to 1.9 and 1.8. --- src/mux_h2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/mux_h2.c b/src/mux_h2.c index 5803a84ff..a67bbb049 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3297,6 +3297,11 @@ next_frame: goto fail; } + if (flen < 5) { + h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); + goto fail; + } + hdrs += 5; // stream dep = 4, weight = 1 flen -= 5; } -- 2.20.1