From 8e1d33a6481a2e301512c3d3deb7467ade432ebf Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 23 May 2026 19:42:43 +0200 Subject: [PATCH] BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep When the PRIORITY flag is present on a HEADERS frame, the frame must contain a stream dependency and a weight, for a total of 5 bytes. The length is checked after reading the stream dep field so theoretically such a frame could cause up to 4-byte OOB read at the end of the buffer, though in practice buffers allocated from pools never end on a page boundary (one extra word at the end) and the anomaly is still detected after reading the stream ID and the connection aborted with the glitch count incremented. Thus while not technically correct, practically speaking it's harmless. This should be backported to all stable releases. --- src/mux_h2.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 8a54e3a0c..7546e04a6 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -6236,6 +6236,13 @@ next_frame: /* Skip StreamDep and weight for now (we don't support PRIORITY) */ if (h2c->dff & H2_F_HEADERS_PRIORITY) { + if (flen < 5) { + h2c_report_glitch(h2c, 1, "too short PRIORITY frame"); + TRACE_STATE("too short PRIORITY frame", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); + h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); + goto fail; + } + if (read_n32(hdrs) == h2c->dsi) { /* RFC7540#5.3.1 : stream dep may not depend on itself */ h2c_report_glitch(h2c, 1, "PRIORITY frame referencing itself"); @@ -6245,13 +6252,6 @@ next_frame: goto fail; } - if (flen < 5) { - h2c_report_glitch(h2c, 1, "too short PRIORITY frame"); - TRACE_STATE("too short PRIORITY frame", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_H2C_ERR|H2_EV_PROTO_ERR, h2c->conn); - h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); - goto fail; - } - hdrs += 5; // stream dep = 4, weight = 1 flen -= 5; }