BUG/MINOR: hpack: reject invalid header index
If the hpack decoder sees an invalid header index, it emits value
"### ERR ###" that was used during debugging instead of rejecting the
block. This is harmless, and was detected by h2spec.
To backport to 1.8.
diff --git a/include/common/hpack-tbl.h b/include/common/hpack-tbl.h
index 5de9d20..824c400 100644
--- a/include/common/hpack-tbl.h
+++ b/include/common/hpack-tbl.h
@@ -154,6 +154,12 @@
return &dht->dte[idx];
}
+/* returns non-zero if <idx> is valid for table <dht> */
+static inline int hpack_valid_idx(const struct hpack_dht *dht, uint16_t idx)
+{
+ return idx < dht->used + HPACK_SHT_SIZE;
+}
+
/* return a pointer to the header name for entry <dte>. */
static inline struct ist hpack_get_name(const struct hpack_dht *dht, const struct hpack_dte *dte)
{
diff --git a/src/hpack-dec.c b/src/hpack-dec.c
index 1a776bc..0515d01 100644
--- a/src/hpack-dec.c
+++ b/src/hpack-dec.c
@@ -177,6 +177,11 @@
goto leave;
}
+ if (!hpack_valid_idx(dht, idx)) {
+ ret = -HPACK_ERR_TOO_LARGE;
+ goto leave;
+ }
+
value = hpack_alloc_string(tmp, idx, hpack_idx_to_value(dht, idx));
if (!value.ptr) {
ret = -HPACK_ERR_TOO_LARGE;
@@ -316,6 +321,11 @@
goto leave;
}
+ if (!hpack_valid_idx(dht, idx)) {
+ ret = -HPACK_ERR_TOO_LARGE;
+ goto leave;
+ }
+
/* retrieve value */
huff = *raw & 0x80;
vlen = get_var_int(&raw, &len, 7);