BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits h2spec reported that we didn't check that no more than 7 bits of padding were left after decoding an huffman-encoded literal. This is harmless but better fix it now. To backport to 1.8.

commit: 4235d182143369d608c436f83004ce931ebb3635 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Sun Dec 03 12:00:36 2017 +0100
committer: Willy Tarreau <w@1wt.eu> Sun Dec 03 21:08:39 2017 +0100
tree: c92e25438cadb1df72a1f6f1b911e727e5cab241
parent: 9e28f459b4d003072d84fce57811b26ff8245f54 [diff] [blame]
diff --git a/src/hpack-huff.c b/src/hpack-huff.c
index 23aa541..cbf1fa0 100644
--- a/src/hpack-huff.c
+++ b/src/hpack-huff.c

@@ -1518,8 +1518,12 @@
 
 	if (bleft > 0) {
 		/* some bits were not consumed after the last code, they must
-		 * match EOS (ie: all ones).
+		 * match EOS (ie: all ones) and there must be 7 bits or less.
+		 * (7541#5.2).
 		 */
+		if (bleft > 7)
+			return -1;
+
 		if ((code & -(1 << (32 - bleft))) != (uint32_t)-(1 << (32 - bleft)))
 			return -1;
 	}
commit	4235d182143369d608c436f83004ce931ebb3635	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Sun Dec 03 12:00:36 2017 +0100
committer	Willy Tarreau <w@1wt.eu>	Sun Dec 03 21:08:39 2017 +0100
tree	c92e25438cadb1df72a1f6f1b911e727e5cab241
parent	9e28f459b4d003072d84fce57811b26ff8245f54 [diff] [blame]