MINOR: h3: reject too big frames
The whole frame payload must have been received to demux a H3 frames,
except for H3 DATA which can be fragmented into multiple HTX blocks.
If the frame is bigger than the buffer and is not a DATA frame, a
connection error is reported with error H3_EXCESSIVE_LOAD.
This should be completed in the future with the H3 settings to limit the
size of uncompressed header section.
This code is more generic : it can handle every H3 frames. This is done
in order to be able to use h3_decode_qcs() to demux both uni and bidir
streams.
diff --git a/src/h3.c b/src/h3.c
index 8d2732e..c2dfd00 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -296,11 +296,24 @@
flen = h3s->demux_frame_len;
ftype = h3s->demux_frame_type;
- /* Do not demux HEADERS if frame incomplete. */
- if (ftype == H3_FT_HEADERS && flen > b_data(&b)) {
- BUG_ON(ncb_is_full(rxbuf)); /* TODO should define SETTINGS for max header size */
+
+ /* Do not demux incomplete frames except H3 DATA which can be
+ * fragmented in multiple HTX blocks.
+ */
+ if (flen > b_data(&b) && ftype != H3_FT_DATA) {
+ /* Reject frames bigger than bufsize.
+ *
+ * TODO HEADERS should in complement be limited with H3
+ * SETTINGS_MAX_FIELD_SECTION_SIZE parameter to prevent
+ * excessive decompressed size.
+ */
+ if (flen > ncb_size(rxbuf)) {
+ qcc_emit_cc_app(qcs->qcc, H3_EXCESSIVE_LOAD);
+ return 1;
+ }
break;
}
+
last_stream_frame = (fin && flen == ncb_total_data(rxbuf));
switch (ftype) {
@@ -316,14 +329,15 @@
break;
case H3_FT_PUSH_PROMISE:
/* Not supported */
- ret = MIN(ncb_data(rxbuf, 0), flen);
+ ret = flen;
break;
default:
/* draft-ietf-quic-http34 9. Extensions to HTTP/3
* unknown frame types MUST be ignored
*/
h3_debug_printf(stderr, "ignore unknown frame type 0x%lx\n", ftype);
- ret = MIN(ncb_data(rxbuf, 0), flen);
+ ret = flen;
+ break;
}
if (ret) {