BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames While parsing a headers frame, if the frame is wrapped in the buffer and needs to be unwrapped, it will be duplicated before being processed. But if it contains certain combinations of invalid flags, the parser returns without releasing the temporary buffer leading to a memory leak. This fix needs to be backported to 1.8.

commit: a0d11b6fd5b6cec3af9a70e38895a665a666ae80 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Wed Sep 05 18:30:05 2018 +0200
committer: Willy Tarreau <w@1wt.eu> Wed Sep 05 20:01:14 2018 +0200
tree: c98ab7420dbef118bce95e3637d65e00f4cba3eb
parent: 590a0514f2d36e2e35704654a6588ff7c82871f6 [diff]
diff --git a/src/mux_h2.c b/src/mux_h2.c
index 1596f37..f7e327e 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c

@@ -2746,7 +2746,7 @@
 		if (h2c->dpl >= flen) {
 			/* RFC7540#6.2 : pad length = length of frame payload or greater */
 			h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-			return 0;
+			goto fail;
 		}
 		flen -= h2c->dpl + 1;
 		hdrs += 1; // skip Pad Length
@@ -2757,7 +2757,7 @@
 		if (read_n32(hdrs) == h2s->id) {
 			/* RFC7540#5.3.1 : stream dep may not depend on itself */
 			h2c_error(h2c, H2_ERR_PROTOCOL_ERROR);
-			return 0;//goto fail_stream;
+			goto fail;
 		}
 
 		hdrs += 5; // stream dep = 4, weight = 1
commit	a0d11b6fd5b6cec3af9a70e38895a665a666ae80	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Wed Sep 05 18:30:05 2018 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed Sep 05 20:01:14 2018 +0200
tree	c98ab7420dbef118bce95e3637d65e00f4cba3eb
parent	590a0514f2d36e2e35704654a6588ff7c82871f6 [diff]