From 433cce7af1b332d387ad65688590fd19093e3e3a Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 26 May 2026 10:25:54 +0200
Subject: [PATCH] BUG/MEDIUM: h3: reject client push stream

HTTP/3 push streams can only be opened by a server instance. The
specification mandates that the connection must be closed if a server
receives a client-initiated push stream.

This patch should ensure that it is not possible to exploit
unidirectional streams for an unexpected usage.

This must be backported up to 2.6.
---
 src/h3.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/h3.c b/src/h3.c
index bd91d7ec9..6210f2c16 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -212,6 +212,19 @@ static ssize_t h3_init_uni_stream(struct h3c *h3c, struct qcs *qcs,
 		break;
 
 	case H3_UNI_S_T_PUSH:
+		if (!conn_is_back(qcs->qcc->conn)) {
+			/* RFC 9114 6.2.2. Push Streams
+			 *
+			 * Only servers can push; if a server receives a client-initiated push
+			 * stream, this MUST be treated as a connection error of type
+			 * H3_STREAM_CREATION_ERROR.
+			 */
+			TRACE_ERROR("reject push from client", H3_EV_H3S_NEW, qcs->qcc->conn, qcs);
+			qcc_set_error(qcs->qcc, H3_ERR_STREAM_CREATION_ERROR, 1,
+			              muxc_tevt_type_proto_err);
+			qcc_report_glitch(qcs->qcc, 1);
+			goto err;
+		}
 		/* TODO not supported for the moment */
 		h3s->type = H3S_T_PUSH;
 		break;