From 8e77620616d04c470c6675860211d8d89c8b4135 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 26 May 2026 10:41:07 +0200
Subject: [PATCH] BUG/MINOR: h3: reject server push stream

Push streams are not supported by haproxy as a client. Thus, it never
emits any MAX_PUSH_ID frame. In this case, the server is not allowed to
initiate any push stream.

This patch ensures that such stream is closed with error H3_ID_ERROR, as
specified by HTTP/3 RFC.

This must be backported up to 3.3.
---
 src/h3.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/h3.c b/src/h3.c
index 6210f2c16..c412eb8ee 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -225,8 +225,20 @@ static ssize_t h3_init_uni_stream(struct h3c *h3c, struct qcs *qcs,
 			qcc_report_glitch(qcs->qcc, 1);
 			goto err;
 		}
-		/* TODO not supported for the moment */
-		h3s->type = H3S_T_PUSH;
+		else {
+			/* RFC 9114 4.6. Server Push
+			 *
+			 * A client MUST treat receipt of a push stream as a connection
+			 * error of type H3_ID_ERROR when no MAX_PUSH_ID frame has been sent or
+			 * when the stream references a push ID that is greater than the maximum
+			 * push ID.
+			 */
+			TRACE_ERROR("reject push from server outside of MAX_PUSH_ID", H3_EV_H3S_NEW, qcs->qcc->conn, qcs);
+			qcc_set_error(qcs->qcc, H3_ERR_ID_ERROR, 1,
+			              muxc_tevt_type_proto_err);
+			qcc_report_glitch(qcs->qcc, 1);
+			goto err;
+		}
 		break;
 
 	case H3_UNI_S_T_QPACK_DEC: