BUG/MEDIUM: h3: do not crash if no buf space for trailers
Replace ABORT_NOW() by proper error management in
h3_resp_trailers_send() for QPACK encoding operation.
If a QPACK encoding operation fails, it means there is not enough space
in qcs buffer. In this case, flag qcs instance with QC_SF_BLK_MROOM and
return an error. MUX is responsible to remove this flag once buffer
space is available.
This should fix the crash reported by gabrieltz on github issue #2006.
This must be backported up to 2.7.
diff --git a/src/h3.c b/src/h3.c
index 7f0dc47..cbb7540 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -1393,8 +1393,10 @@
/* Start the headers after frame type + length */
headers_buf = b_make(b_peek(res, b_data(res) + 9), b_contig_space(res) - 9, 0, 0);
- if (qpack_encode_field_section_line(&headers_buf))
- ABORT_NOW();
+ if (qpack_encode_field_section_line(&headers_buf)) {
+ qcs->flags |= QC_SF_BLK_MROOM;
+ goto err;
+ }
tail = b_tail(&headers_buf);
for (hdr = 0; hdr < sizeof(list) / sizeof(list[0]); ++hdr) {
@@ -1412,8 +1414,10 @@
continue;
}
- if (qpack_encode_header(&headers_buf, list[hdr].n, list[hdr].v))
- ABORT_NOW();
+ if (qpack_encode_header(&headers_buf, list[hdr].n, list[hdr].v)) {
+ qcs->flags |= QC_SF_BLK_MROOM;
+ goto err;
+ }
}
/* Now that all headers are encoded, we are certain that res buffer is