BUG/MEDIUM: h2: reject non-3-digit status codes If the H1 parser would report a status code length not consisting in exactly 3 digits, the error case was confused with a lack of buffer room and was causing the parser to loop infinitely.

commit: a87f202b4973925e95029c2ce28108171c4b93c2 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Thu Nov 09 11:23:00 2017 +0100
committer: Willy Tarreau <w@1wt.eu> Thu Nov 09 11:23:00 2017 +0100
tree: ab9333ea81464c37a6b54a8bdaed1b2eab41fb80
parent: 1b4cf9b7545792aedbf9cf00b8948e6cf28824ed [diff]
diff --git a/src/mux_h2.c b/src/mux_h2.c
index 3696521..4153620 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c

@@ -2609,7 +2609,13 @@
 		outbuf.str[outbuf.len++] = 0x88; // indexed field : idx[08]=(":status", "200")
 	else if (outbuf.len < outbuf.size && h1m->status == 304)
 		outbuf.str[outbuf.len++] = 0x8b; // indexed field : idx[11]=(":status", "304")
-	else if (list[0].v.len == 3 && outbuf.len + 2 + 3 <= outbuf.size) {
+	else if (unlikely(list[0].v.len != 3)) {
+		/* this is an unparsable response */
+		h2s_error(h2s, H2_ERR_INTERNAL_ERROR);
+		ret = 0;
+		goto end;
+	}
+	else if (unlikely(outbuf.len + 2 + 3 <= outbuf.size)) {
 		/* basic encoding of the status code */
 		outbuf.str[outbuf.len++] = 0x48; // indexed name -- name=":status" (idx 8)
 		outbuf.str[outbuf.len++] = 0x03; // 3 bytes status
commit	a87f202b4973925e95029c2ce28108171c4b93c2	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Thu Nov 09 11:23:00 2017 +0100
committer	Willy Tarreau <w@1wt.eu>	Thu Nov 09 11:23:00 2017 +0100
tree	ab9333ea81464c37a6b54a8bdaed1b2eab41fb80
parent	1b4cf9b7545792aedbf9cf00b8948e6cf28824ed [diff]