upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-11 09:52:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

BUG/MEDIUM: h3: reject client push stream

Browse source 
HTTP/3 push streams can only be opened by a server instance. The
specification mandates that the connection must be closed if a server
receives a client-initiated push stream.

This patch should ensure that it is not possible to exploit
unidirectional streams for an unexpected usage.

This must be backported up to 2.6.
This commit is contained in:
Amaury Denoyelle 2026-05-26 10:25:54 +02:00
parent 4a9ec66fd8
commit 433cce7af1
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/h3.c
View file

@ -212,6 +212,19 @@ static ssize_t h3_init_uni_stream(struct h3c *h3c, struct qcs *qcs,
break;
case H3_UNI_S_T_PUSH:
if (!conn_is_back(qcs->qcc->conn)) {
/* RFC 9114 6.2.2. Push Streams
*
* Only servers can push; if a server receives a client-initiated push
* stream, this MUST be treated as a connection error of type
* H3_STREAM_CREATION_ERROR.
*/
TRACE_ERROR("reject push from client", H3_EV_H3S_NEW, qcs->qcc->conn, qcs);
qcc_set_error(qcs->qcc, H3_ERR_STREAM_CREATION_ERROR, 1,
muxc_tevt_type_proto_err);
qcc_report_glitch(qcs->qcc, 1);
goto err;
}
/* TODO not supported for the moment */
h3s->type = H3S_T_PUSH;
break;