BUG/MINOR: h3: fix parsing of unknown frame type with null length
HTTP/3 implementation must ignore unknown frame type to support protocol
evolution. Clients can deliberately use unknown type to test that the
server is conformant : this principle is called greasing.
Quiche client uses greasing on H3 frame type with a zero length frame.
This reveals a bug in H3 parsing code which causes the transfer to be
interrupted. Fix this by removing the break statement on ret variable.
Now the parsing loop is only interrupted if input buffer is empty or the
demux is blocked.
This should fix http/3 freeze transfers with the quiche client. Thanks
to Lucas Pardue from Cloudflare for his report on the bug. Frédéric
Lecaille quickly found the source of the problem which helps me to write
this patch.
diff --git a/src/h3.c b/src/h3.c
index 61ea09a..8a41f07 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -315,12 +315,11 @@
ret = MIN(b_data(rxbuf), flen);
}
- if (!ret)
- break;
-
- b_del(rxbuf, ret);
- BUG_ON(h3s->demux_frame_len < ret);
- h3s->demux_frame_len -= ret;
+ if (ret) {
+ b_del(rxbuf, ret);
+ BUG_ON(h3s->demux_frame_len < ret);
+ h3s->demux_frame_len -= ret;
+ }
}
/* TODO may be useful to wakeup the MUX if blocked due to full buffer.