41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001
|
|
From: Willy Tarreau <w@1wt.eu>
|
|
Date: Mon, 31 Dec 2018 07:41:24 +0100
|
|
Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=latin1
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
|
|
when the PRIORITY flag is present. A check is missing to ensure the 5
|
|
extra bytes needed with this flag are actually part of the frame. As per
|
|
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
|
|
|
|
Many thanks to Tim for responsibly reporting this issue with a working
|
|
config and reproducer. This issue was assigned CVE-2018-20615.
|
|
|
|
This fix must be backported to 1.9 and 1.8.
|
|
---
|
|
src/mux_h2.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/src/mux_h2.c b/src/mux_h2.c
|
|
index 5803a84ff..a67bbb049 100644
|
|
--- a/src/mux_h2.c
|
|
+++ b/src/mux_h2.c
|
|
@@ -3297,6 +3297,11 @@ next_frame:
|
|
goto fail;
|
|
}
|
|
|
|
+ if (flen < 5) {
|
|
+ h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
hdrs += 5; // stream dep = 4, weight = 1
|
|
flen -= 5;
|
|
}
|
|
--
|
|
2.20.1
|
|
|